Edit tour

Windows Analysis Report
Loki.dll.dll

Overview

General Information

Sample name:	Loki.dll.dll (renamed file extension from exe to dll)
Original sample name:	Loki.dll.exe
Analysis ID:	1528326
MD5:	00011cf661d1611ff66531a71269a5de
SHA1:	58728362d2e3f8ebde3f8b8d145e6b25b353abfc
SHA256:	0911a1db0d352180f12241c3854af928c8c6089664710e427244c05ca43be097
Tags:	exeuser-ownagesbot
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Tries to detect virtualization through RDTSC time measurements

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to detect virtual machines (SGDT)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Entry point lies outside standard sections

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 3416 cmdline: loaddll64.exe "C:\Users\user\Desktop\Loki.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 4188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3220 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 6092 cmdline: rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 2496 cmdline: rundll32.exe C:\Users\user\Desktop\Loki.dll.dll,Finalize MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 5644 cmdline: C:\Windows\system32\WerFault.exe -u -p 2496 -s 528 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 3412 cmdline: C:\Windows\system32\WerFault.exe -u -p 2496 -s 452 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 1416 cmdline: rundll32.exe C:\Users\user\Desktop\Loki.dll.dll,Initialize MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7120 cmdline: rundll32.exe C:\Users\user\Desktop\Loki.dll.dll,InitializeDataA MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 5448 cmdline: rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",Finalize MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 6284 cmdline: C:\Windows\system32\WerFault.exe -u -p 5448 -s 516 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 1016 cmdline: C:\Windows\system32\WerFault.exe -u -p 5448 -s 244 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 2188 cmdline: rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",Initialize MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 6556 cmdline: rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",InitializeDataA MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 2100 cmdline: rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",InitializeDataW MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: rundll32.exe, 00000003.00000002.2274684532.00007FFD8F65B000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_f3e8a424-c

Source: Loki.dll.dll

Static PE information: certificate valid

Source: Loki.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF

Source:	Binary string: ws2_32.pdb source: rundll32.exe, 00000003.00000002.2274212830.0000021814F00000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2173625284.0000021813377000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2175820024.000002D681BA0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2173257832.000002D6FCCF9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3357460990.0000018301A50000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2221095074.000001837E357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.2438748996.0000014A18910000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2244967373.0000014A16D47000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2391206194.000001C53D2E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.2449540178.000001C53EE40000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357842818.000001D1C9380000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2392675504.000001D1C7847000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2391538126.000002146B547000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2555190256.000002146D070000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2393412606.000001B229AB7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2561529000.000001B22B590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: rundll32.exe, 00000003.00000003.2172586529.0000021814FB5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2175998543.000002D68216D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2172571112.000002D681A52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2220742215.0000018301B4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2243975595.0000014A188AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2437325258.0000014A193BD000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2396148768.000001C53F8ED000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2390583152.000001C53EDD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2390331760.000001D1C9315000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3358064086.000001D1C9E2D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2390614846.000002146D11F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2553128701.000002146DC2D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2559685319.000001B22C15D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2391390330.000001B22B645000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: rundll32.exe, 00000003.00000003.2172586529.0000021814FB5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2175998543.000002D68216D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2172571112.000002D681A52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2220742215.0000018301B4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2243975595.0000014A188AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2437325258.0000014A193BD000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2396148768.000001C53F8ED000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2390583152.000001C53EDD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2390331760.000001D1C9315000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3358064086.000001D1C9E2D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2390614846.000002146D11F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2553128701.000002146DC2D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2559685319.000001B22C15D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2391390330.000001B22B645000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: rundll32.exe, 00000003.00000003.2174285400.000002181337C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2274108990.00000218135CC000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2175713708.000002D6818BC000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2173418988.000002D6FCCFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225027482.000001837E35B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3357365604.00000183019AC000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2245188149.0000014A16D4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2437575985.0000014A186FC000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2391739274.000001C53D2EB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.2449648800.000001C53EEEC000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2393720762.000001D1C784B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357719592.000001D1C913C000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2392001418.000002146B54B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2553527917.000002146D00C000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2396232233.000001B229ABB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2559980410.000001B22B4BC000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: win32u.pdbGCTL source: rundll32.exe, 00000003.00000003.2174285400.000002181337C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2274108990.00000218135CC000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2175713708.000002D6818BC000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2173418988.000002D6FCCFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225027482.000001837E35B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3357365604.00000183019AC000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2245188149.0000014A16D4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2437575985.0000014A186FC000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2391739274.000001C53D2EB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.2449648800.000001C53EEEC000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2393720762.000001D1C784B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357719592.000001D1C913C000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2392001418.000002146B54B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2553527917.000002146D00C000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2396232233.000001B229ABB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2559980410.000001B22B4BC000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdbUGP source: rundll32.exe, 00000003.00000002.2274212830.0000021814F00000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2173625284.0000021813377000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2175820024.000002D681BA0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2173257832.000002D6FCCF9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3357460990.0000018301A50000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2221095074.000001837E357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.2438748996.0000014A18910000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2244967373.0000014A16D47000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2391206194.000001C53D2E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.2449540178.000001C53EE40000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357842818.000001D1C9380000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2392675504.000001D1C7847000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2391538126.000002146B547000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2555190256.000002146D070000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2393412606.000001B229AB7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2561529000.000001B22B590000.00000004.00001000.00020000.00000000.sdmp

Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://whatismyip.akamai.com
Source: rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://whatismyip.akamai.comNGmem
Source: rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://whatismyip.akamai.comem1.
Source: rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://whatismyip.akamai.comemILhg
Source: rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://whatismyip.akamai.comly
Source: rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ggn.live/api/configs/public-ip
Source: rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ggn.live/api/configs/public-ip85P
Source: rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3357207513.0000001C3187D000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357213695.0000000A81EFC000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.la
Source: rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.la07ilesCoNg
Source: rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.la6)
Source: rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.lall
Source: rundll32.exe, 00000006.00000002.3357207513.0000001C3187D000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357213695.0000000A81EFC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.laq
Source: rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.laxe_Numom
Source: rundll32.exe, 00000003.00000002.2274684532.00007FFD8F65B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.3358585398.00007FFD8F65B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.3358598696.00007FFD8F65B000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: rundll32.exe, 00000003.00000002.2274684532.00007FFD8F65B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.3358585398.00007FFD8F65B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.3358598696.00007FFD8F65B000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: rundll32.exe, 00000003.00000002.2274684532.00007FFD8F65B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.3358585398.00007FFD8F65B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.3358598696.00007FFD8F65B000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icanhazip.com
Source: rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icanhazip.comPCespace
Source: rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icanhazip.comamespacezg
Source: rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icanhazip.comonUsers
Source: rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icanhazip.coms(x86)=C:
Source: rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip
Source: rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ipData
Source: rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ipE=ALD64umCo
Source: rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/iplRINGmS;.g
Source: rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ipon
Source: rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myexternalip.com/raw
Source: rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myexternalip.com/raw6)=C:Mg#
Source: rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myexternalip.com/rawITECT
Source: rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myexternalip.com/rawOS=Wi

Source: rundll32.exe, 00000003.00000003.2174285400.000002181337C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: NtUserGetRawInputData

memstr_f90e7c8c-9

System Summary

PE file contains section with special chars

Source: Loki.dll.dll	Static PE information: section name: .o:)
Source: Loki.dll.dll	Static PE information: section name: .Mj)
Source: Loki.dll.dll	Static PE information: section name: .V{m
Source: Loki.dll.dll	Static PE information: section name: .n+\
Source: Loki.dll.dll	Static PE information: section name: .M>L
Source: Loki.dll.dll	Static PE information: section name: .`E%
Source: Loki.dll.dll	Static PE information: section name: .3%X

Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_000002181584D310 NtQueryInformationProcess,	3_3_000002181584D310
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_000002181584D1D0 NtClose,	3_3_000002181584D1D0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301FDD310 NtQueryInformationProcess,	6_2_0000018301FDD310
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A1933D310 NtQueryInformationProcess,	9_3_0000014A1933D310
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F86D310 NtQueryInformationProcess,	14_3_000001C53F86D310
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9DAD310 NtQueryInformationProcess,	15_2_000001D1C9DAD310
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DBAD310 NtQueryInformationProcess,	16_3_000002146DBAD310
Source: C:\Windows\System32\rundll32.exe	Code function: 17_3_000001B22C0DD310 NtQueryInformationProcess,	17_3_000001B22C0DD310

Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157C7450	3_3_00000218157C7450
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157BA448	3_3_00000218157BA448
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157CB430	3_3_00000218157CB430
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157CD390	3_3_00000218157CD390
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157DF380	3_3_00000218157DF380
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218158303AC	3_3_00000218158303AC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157BE348	3_3_00000218157BE348
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157B3404	3_3_00000218157B3404
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157E03F4	3_3_00000218157E03F4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157DF690	3_3_00000218157DF690
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157DB650	3_3_00000218157DB650
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157CF630	3_3_00000218157CF630
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157D261F	3_3_00000218157D261F
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157D5710	3_3_00000218157D5710
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157D2580	3_3_00000218157D2580
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157D8543	3_3_00000218157D8543
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157F05F8	3_3_00000218157F05F8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218158C9594	3_3_00000218158C9594
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_0000021815822590	3_3_0000021815822590
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157BA090	3_3_00000218157BA090
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157C404C	3_3_00000218157C404C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157DA104	3_3_00000218157DA104
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218158A507C	3_3_00000218158A507C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157B4F78	3_3_00000218157B4F78
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157B1F60	3_3_00000218157B1F60
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_0000021815821FD4	3_3_0000021815821FD4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157CAF50	3_3_00000218157CAF50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218158B7FE4	3_3_00000218158B7FE4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_0000021815847FF4	3_3_0000021815847FF4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218158BBFE8	3_3_00000218158BBFE8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157D4FE0	3_3_00000218157D4FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157B8FE4	3_3_00000218157B8FE4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157B3FA4	3_3_00000218157B3FA4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157D9280	3_3_00000218157D9280
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157DC316	3_3_00000218157DC316
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157C12E0	3_3_00000218157C12E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157CE2D8	3_3_00000218157CE2D8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_000002181588F26C	3_3_000002181588F26C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157CC2B4	3_3_00000218157CC2B4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157D4160	3_3_00000218157D4160
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157DA212	3_3_00000218157DA212
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157D71D0	3_3_00000218157D71D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_0000021815843180	3_3_0000021815843180
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157C9C40	3_3_00000218157C9C40
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157CEC28	3_3_00000218157CEC28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_000002181581BC18	3_3_000002181581BC18
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_0000021815813C20	3_3_0000021815813C20
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218158B8C28	3_3_00000218158B8C28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218158BBC8C	3_3_00000218158BBC8C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157BDB60	3_3_00000218157BDB60
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157B5B5C	3_3_00000218157B5B5C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218158A6BD8	3_3_00000218158A6BD8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218158A9B20	3_3_00000218158A9B20
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157D5C00	3_3_00000218157D5C00
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157C7BE0	3_3_00000218157C7BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218158A6E98	3_3_00000218158A6E98
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_0000021815826EF0	3_3_0000021815826EF0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218158AAF00	3_3_00000218158AAF00
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_0000021815820E28	3_3_0000021815820E28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157CFEF8	3_3_00000218157CFEF8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157C6EE4	3_3_00000218157C6EE4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157CEEB4	3_3_00000218157CEEB4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157B2D40	3_3_00000218157B2D40
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157D7E0A	3_3_00000218157D7E0A
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157C2DE0	3_3_00000218157C2DE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_0000021815814D58	3_3_0000021815814D58
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157DFDC0	3_3_00000218157DFDC0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157D8DBF	3_3_00000218157D8DBF
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218158BFD88	3_3_00000218158BFD88
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157B3888	3_3_00000218157B3888
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157C1840	3_3_00000218157C1840
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157D782C	3_3_00000218157D782C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157BA8B0	3_3_00000218157BA8B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157E18A0	3_3_00000218157E18A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157BB780	3_3_00000218157BB780
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157DC765	3_3_00000218157DC765
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_0000021815803740	3_3_0000021815803740
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218158AA764	3_3_00000218158AA764
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218158BEABC	3_3_00000218158BEABC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218158BFAD4	3_3_00000218158BFAD4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_0000021815822ADC	3_3_0000021815822ADC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157DAA20	3_3_00000218157DAA20
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157CCA18	3_3_00000218157CCA18
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_0000021815849A1C	3_3_0000021815849A1C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_0000021815803A5C	3_3_0000021815803A5C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157D3990	3_3_00000218157D3990
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157B2980	3_3_00000218157B2980
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218158BF9E0	3_3_00000218158BF9E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157CE940	3_3_00000218157CE940
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_000002181580AA00	3_3_000002181580AA00
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_000002181584C920	3_3_000002181584C920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_0000021815885930	3_3_0000021815885930
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157D19E4	3_3_00000218157D19E4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00000218157CA9E0	3_3_00000218157CA9E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F6C316	6_2_0000018301F6C316
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F5E2D8	6_2_0000018301F5E2D8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F512E0	6_2_0000018301F512E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F5C2B4	6_2_0000018301F5C2B4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F69280	6_2_0000018301F69280
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F6A212	6_2_0000018301F6A212
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F671D0	6_2_0000018301F671D0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301FD3180	6_2_0000018301FD3180
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F64160	6_2_0000018301F64160
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F4A448	6_2_0000018301F4A448
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F57450	6_2_0000018301F57450
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F5B430	6_2_0000018301F5B430
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F43404	6_2_0000018301F43404
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F703F4	6_2_0000018301F703F4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000001830201F26C	6_2_000001830201F26C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301FC03AC	6_2_0000018301FC03AC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F5D390	6_2_0000018301F5D390
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F6F380	6_2_0000018301F6F380
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F4E348	6_2_0000018301F4E348
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F65710	6_2_0000018301F65710
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000001830203A764	6_2_000001830203A764
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F6F690	6_2_0000018301F6F690
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F6B650	6_2_0000018301F6B650
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F5F630	6_2_0000018301F5F630
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F6261F	6_2_0000018301F6261F
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F805F8	6_2_0000018301F805F8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301FB2590	6_2_0000018301FB2590
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F62580	6_2_0000018301F62580
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F68543	6_2_0000018301F68543
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301FDC920	6_2_0000018301FDC920
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018302059594	6_2_0000018302059594
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F4A8B0	6_2_0000018301F4A8B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F718A0	6_2_0000018301F718A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F43888	6_2_0000018301F43888
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F51840	6_2_0000018301F51840
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F6782C	6_2_0000018301F6782C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F4B780	6_2_0000018301F4B780
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F6C765	6_2_0000018301F6C765
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F93740	6_2_0000018301F93740
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301FB2ADC	6_2_0000018301FB2ADC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018302036BD8	6_2_0000018302036BD8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F93A5C	6_2_0000018301F93A5C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F5CA18	6_2_0000018301F5CA18
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018302048C28	6_2_0000018302048C28
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301FD9A1C	6_2_0000018301FD9A1C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F6AA20	6_2_0000018301F6AA20
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F9AA00	6_2_0000018301F9AA00
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F619E4	6_2_0000018301F619E4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F5A9E0	6_2_0000018301F5A9E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000001830204BC8C	6_2_000001830204BC8C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F63990	6_2_0000018301F63990
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F42980	6_2_0000018301F42980
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F5E940	6_2_0000018301F5E940
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018302015930	6_2_0000018302015930
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000001830204F9E0	6_2_000001830204F9E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F59C40	6_2_0000018301F59C40
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F5EC28	6_2_0000018301F5EC28
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301FA3C20	6_2_0000018301FA3C20
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301FABC18	6_2_0000018301FABC18
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F65C00	6_2_0000018301F65C00
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F57BE0	6_2_0000018301F57BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000001830204EABC	6_2_000001830204EABC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000001830204FAD4	6_2_000001830204FAD4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F4DB60	6_2_0000018301F4DB60
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F45B5C	6_2_0000018301F45B5C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018302039B20	6_2_0000018302039B20
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F5FEF8	6_2_0000018301F5FEF8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F56EE4	6_2_0000018301F56EE4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301FB6EF0	6_2_0000018301FB6EF0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F5EEB4	6_2_0000018301F5EEB4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000001830204BFE8	6_2_000001830204BFE8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018302047FE4	6_2_0000018302047FE4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301FB0E28	6_2_0000018301FB0E28
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F67E0A	6_2_0000018301F67E0A
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F52DE0	6_2_0000018301F52DE0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000001830203507C	6_2_000001830203507C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F6FDC0	6_2_0000018301F6FDC0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F68DBF	6_2_0000018301F68DBF
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301FA4D58	6_2_0000018301FA4D58
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F42D40	6_2_0000018301F42D40
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F6A104	6_2_0000018301F6A104
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000001830204FD88	6_2_000001830204FD88
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F4A090	6_2_0000018301F4A090
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F5404C	6_2_0000018301F5404C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301FD7FF4	6_2_0000018301FD7FF4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F48FE4	6_2_0000018301F48FE4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301FB1FD4	6_2_0000018301FB1FD4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F64FE0	6_2_0000018301F64FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F43FA4	6_2_0000018301F43FA4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018302036E98	6_2_0000018302036E98
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F44F78	6_2_0000018301F44F78
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F41F60	6_2_0000018301F41F60
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000018301F5AF50	6_2_0000018301F5AF50
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000001830203AF00	6_2_000001830203AF00
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A19333180	9_3_0000014A19333180
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192C4160	9_3_0000014A192C4160
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192C71D0	9_3_0000014A192C71D0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A1939507C	9_3_0000014A1939507C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192B404C	9_3_0000014A192B404C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192AA090	9_3_0000014A192AA090
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192CA104	9_3_0000014A192CA104
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192AE348	9_3_0000014A192AE348
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192CC316	9_3_0000014A192CC316
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192CF380	9_3_0000014A192CF380
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A193203AC	9_3_0000014A193203AC
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192BD390	9_3_0000014A192BD390
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192D03F4	9_3_0000014A192D03F4
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192A3404	9_3_0000014A192A3404
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192CA212	9_3_0000014A192CA212
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192C9280	9_3_0000014A192C9280
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A1937F26C	9_3_0000014A1937F26C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192BC2B4	9_3_0000014A192BC2B4
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192BE2D8	9_3_0000014A192BE2D8
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192B12E0	9_3_0000014A192B12E0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192C8543	9_3_0000014A192C8543
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192C2580	9_3_0000014A192C2580
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A193B9594	9_3_0000014A193B9594
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A19312590	9_3_0000014A19312590
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192E05F8	9_3_0000014A192E05F8
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192BB430	9_3_0000014A192BB430
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192AA448	9_3_0000014A192AA448
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192B7450	9_3_0000014A192B7450
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192F3740	9_3_0000014A192F3740
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192C5710	9_3_0000014A192C5710
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192AB780	9_3_0000014A192AB780
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A1939A764	9_3_0000014A1939A764
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192CC765	9_3_0000014A192CC765
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192BF630	9_3_0000014A192BF630
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192C261F	9_3_0000014A192C261F
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192CB650	9_3_0000014A192CB650
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192CF690	9_3_0000014A192CF690
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A19375930	9_3_0000014A19375930
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192BE940	9_3_0000014A192BE940
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A1933C920	9_3_0000014A1933C920
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192A2980	9_3_0000014A192A2980
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192C3990	9_3_0000014A192C3990
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192FAA00	9_3_0000014A192FAA00
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A193AF9E0	9_3_0000014A193AF9E0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192C19E4	9_3_0000014A192C19E4
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192BA9E0	9_3_0000014A192BA9E0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192C782C	9_3_0000014A192C782C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192B1840	9_3_0000014A192B1840
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192A3888	9_3_0000014A192A3888
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192AA8B0	9_3_0000014A192AA8B0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192D18A0	9_3_0000014A192D18A0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A19399B20	9_3_0000014A19399B20
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192A5B5C	9_3_0000014A192A5B5C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192ADB60	9_3_0000014A192ADB60
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192C5C00	9_3_0000014A192C5C00
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A19396BD8	9_3_0000014A19396BD8
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192B7BE0	9_3_0000014A192B7BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A19339A1C	9_3_0000014A19339A1C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192BCA18	9_3_0000014A192BCA18
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192CAA20	9_3_0000014A192CAA20
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192F3A5C	9_3_0000014A192F3A5C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A193AEABC	9_3_0000014A193AEABC
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A19312ADC	9_3_0000014A19312ADC
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A193AFAD4	9_3_0000014A193AFAD4
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192A2D40	9_3_0000014A192A2D40
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A193AFD88	9_3_0000014A193AFD88
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A19304D58	9_3_0000014A19304D58
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192C8DBF	9_3_0000014A192C8DBF
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192CFDC0	9_3_0000014A192CFDC0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192B2DE0	9_3_0000014A192B2DE0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192B9C40	9_3_0000014A192B9C40
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A193A8C28	9_3_0000014A193A8C28
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A19303C20	9_3_0000014A19303C20
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192BEC28	9_3_0000014A192BEC28
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A1930BC18	9_3_0000014A1930BC18
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A193ABC8C	9_3_0000014A193ABC8C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192A4F78	9_3_0000014A192A4F78
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192BAF50	9_3_0000014A192BAF50
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192A1F60	9_3_0000014A192A1F60
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192A3FA4	9_3_0000014A192A3FA4
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A19337FF4	9_3_0000014A19337FF4
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A193A7FE4	9_3_0000014A193A7FE4
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A193ABFE8	9_3_0000014A193ABFE8
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192A8FE4	9_3_0000014A192A8FE4
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192C4FE0	9_3_0000014A192C4FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A19311FD4	9_3_0000014A19311FD4
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192C7E0A	9_3_0000014A192C7E0A
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A19310E28	9_3_0000014A19310E28
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192BEEB4	9_3_0000014A192BEEB4
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A19396E98	9_3_0000014A19396E98
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192BFEF8	9_3_0000014A192BFEF8
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A1939AF00	9_3_0000014A1939AF00
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A19316EF0	9_3_0000014A19316EF0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000014A192B6EE4	9_3_0000014A192B6EE4
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7D3888	14_3_000001C53F7D3888
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7E1840	14_3_000001C53F7E1840
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7F782C	14_3_000001C53F7F782C
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F86C920	14_3_000001C53F86C920
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7DA8B0	14_3_000001C53F7DA8B0
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8018A0	14_3_000001C53F8018A0
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7DB780	14_3_000001C53F7DB780
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7FC765	14_3_000001C53F7FC765
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F823740	14_3_000001C53F823740
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8CA764	14_3_000001C53F8CA764
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7FB650	14_3_000001C53F7FB650
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7EF630	14_3_000001C53F7EF630
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7F5710	14_3_000001C53F7F5710
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7FF690	14_3_000001C53F7FF690
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7F2580	14_3_000001C53F7F2580
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8105F8	14_3_000001C53F8105F8
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7F8543	14_3_000001C53F7F8543
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7F261F	14_3_000001C53F7F261F
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8E9594	14_3_000001C53F8E9594
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F842590	14_3_000001C53F842590
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7E7450	14_3_000001C53F7E7450
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7DA448	14_3_000001C53F7DA448
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7EB430	14_3_000001C53F7EB430
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8503AC	14_3_000001C53F8503AC
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7ED390	14_3_000001C53F7ED390
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8003F4	14_3_000001C53F8003F4
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7DE348	14_3_000001C53F7DE348
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7D3404	14_3_000001C53F7D3404
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7FF380	14_3_000001C53F7FF380
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7F9280	14_3_000001C53F7F9280
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7FC316	14_3_000001C53F7FC316
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7E12E0	14_3_000001C53F7E12E0
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7EE2D8	14_3_000001C53F7EE2D8
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8AF26C	14_3_000001C53F8AF26C
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7EC2B4	14_3_000001C53F7EC2B4
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7F4160	14_3_000001C53F7F4160
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7FA212	14_3_000001C53F7FA212
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7F71D0	14_3_000001C53F7F71D0
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F863180	14_3_000001C53F863180
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7DA090	14_3_000001C53F7DA090
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7E404C	14_3_000001C53F7E404C
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7FA104	14_3_000001C53F7FA104
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8C507C	14_3_000001C53F8C507C
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7D3FA4	14_3_000001C53F7D3FA4
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F841FD4	14_3_000001C53F841FD4
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7D4F78	14_3_000001C53F7D4F78
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8D7FE4	14_3_000001C53F8D7FE4
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7D1F60	14_3_000001C53F7D1F60
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F867FF4	14_3_000001C53F867FF4
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8DBFE8	14_3_000001C53F8DBFE8
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7EAF50	14_3_000001C53F7EAF50
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7D8FE4	14_3_000001C53F7D8FE4
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7F4FE0	14_3_000001C53F7F4FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F846EF0	14_3_000001C53F846EF0
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8CAF00	14_3_000001C53F8CAF00
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F840E28	14_3_000001C53F840E28
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7EFEF8	14_3_000001C53F7EFEF8
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7E6EE4	14_3_000001C53F7E6EE4
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7EEEB4	14_3_000001C53F7EEEB4
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8C6E98	14_3_000001C53F8C6E98
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7FFDC0	14_3_000001C53F7FFDC0
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7D2D40	14_3_000001C53F7D2D40
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7F7E0A	14_3_000001C53F7F7E0A
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F834D58	14_3_000001C53F834D58
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7E2DE0	14_3_000001C53F7E2DE0
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7F8DBF	14_3_000001C53F7F8DBF
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8DFD88	14_3_000001C53F8DFD88
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7E9C40	14_3_000001C53F7E9C40
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7EEC28	14_3_000001C53F7EEC28
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8D8C28	14_3_000001C53F8D8C28
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8DBC8C	14_3_000001C53F8DBC8C
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8C6BD8	14_3_000001C53F8C6BD8
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7DDB60	14_3_000001C53F7DDB60
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7D5B5C	14_3_000001C53F7D5B5C
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F83BC18	14_3_000001C53F83BC18
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F833C20	14_3_000001C53F833C20
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7F5C00	14_3_000001C53F7F5C00
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7E7BE0	14_3_000001C53F7E7BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8DEABC	14_3_000001C53F8DEABC
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8DFAD4	14_3_000001C53F8DFAD4
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F842ADC	14_3_000001C53F842ADC
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8C9B20	14_3_000001C53F8C9B20
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F823A5C	14_3_000001C53F823A5C
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7F3990	14_3_000001C53F7F3990
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7D2980	14_3_000001C53F7D2980
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8DF9E0	14_3_000001C53F8DF9E0
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F82AA00	14_3_000001C53F82AA00
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7EE940	14_3_000001C53F7EE940
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F869A1C	14_3_000001C53F869A1C
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F8A5930	14_3_000001C53F8A5930
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7FAA20	14_3_000001C53F7FAA20
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7ECA18	14_3_000001C53F7ECA18
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7F19E4	14_3_000001C53F7F19E4
Source: C:\Windows\System32\rundll32.exe	Code function: 14_3_000001C53F7EA9E0	14_3_000001C53F7EA9E0
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9DA3180	15_2_000001D1C9DA3180
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D34160	15_2_000001D1C9D34160
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D3A104	15_2_000001D1C9D3A104
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D1A090	15_2_000001D1C9D1A090
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9E0507C	15_2_000001D1C9E0507C
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D2404C	15_2_000001D1C9D2404C
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9DA7FF4	15_2_000001D1C9DA7FF4
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9E17FE4	15_2_000001D1C9E17FE4
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9E1BFE8	15_2_000001D1C9E1BFE8
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D18FE4	15_2_000001D1C9D18FE4
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D81FD4	15_2_000001D1C9D81FD4
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D34FE0	15_2_000001D1C9D34FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D2D390	15_2_000001D1C9D2D390
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D3F380	15_2_000001D1C9D3F380
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D903AC	15_2_000001D1C9D903AC
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D1E348	15_2_000001D1C9D1E348
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D3C316	15_2_000001D1C9D3C316
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D2C2B4	15_2_000001D1C9D2C2B4
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D2E2D8	15_2_000001D1C9D2E2D8
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D212E0	15_2_000001D1C9D212E0
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D39280	15_2_000001D1C9D39280
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9DEF26C	15_2_000001D1C9DEF26C
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D3A212	15_2_000001D1C9D3A212
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D371D0	15_2_000001D1C9D371D0
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9E29594	15_2_000001D1C9E29594
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D82590	15_2_000001D1C9D82590
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D32580	15_2_000001D1C9D32580
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D38543	15_2_000001D1C9D38543
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D1A448	15_2_000001D1C9D1A448
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D27450	15_2_000001D1C9D27450
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D13404	15_2_000001D1C9D13404
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D403F4	15_2_000001D1C9D403F4
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D2B430	15_2_000001D1C9D2B430
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D1B780	15_2_000001D1C9D1B780
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9E0A764	15_2_000001D1C9E0A764
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D63740	15_2_000001D1C9D63740
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D3C765	15_2_000001D1C9D3C765
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D35710	15_2_000001D1C9D35710
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D3F690	15_2_000001D1C9D3F690
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D3B650	15_2_000001D1C9D3B650
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D505F8	15_2_000001D1C9D505F8
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D2F630	15_2_000001D1C9D2F630
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D3261F	15_2_000001D1C9D3261F
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D33990	15_2_000001D1C9D33990
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D12980	15_2_000001D1C9D12980
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D2E940	15_2_000001D1C9D2E940
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9DE5930	15_2_000001D1C9DE5930
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9DAC920	15_2_000001D1C9DAC920
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D13888	15_2_000001D1C9D13888
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D1A8B0	15_2_000001D1C9D1A8B0
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D418A0	15_2_000001D1C9D418A0
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D21840	15_2_000001D1C9D21840
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D3782C	15_2_000001D1C9D3782C
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D15B5C	15_2_000001D1C9D15B5C
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D1DB60	15_2_000001D1C9D1DB60
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9E09B20	15_2_000001D1C9E09B20
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9E1FAD4	15_2_000001D1C9E1FAD4
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9E1EABC	15_2_000001D1C9E1EABC
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D82ADC	15_2_000001D1C9D82ADC
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D63A5C	15_2_000001D1C9D63A5C
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D6AA00	15_2_000001D1C9D6AA00
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9DA9A1C	15_2_000001D1C9DA9A1C
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D2CA18	15_2_000001D1C9D2CA18
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D3AA20	15_2_000001D1C9D3AA20
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9E1F9E0	15_2_000001D1C9E1F9E0
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D319E4	15_2_000001D1C9D319E4
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D2A9E0	15_2_000001D1C9D2A9E0
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9E1FD88	15_2_000001D1C9E1FD88
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D12D40	15_2_000001D1C9D12D40
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D74D58	15_2_000001D1C9D74D58
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9E1BC8C	15_2_000001D1C9E1BC8C
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D29C40	15_2_000001D1C9D29C40
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9E18C28	15_2_000001D1C9E18C28
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D35C00	15_2_000001D1C9D35C00
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D2EC28	15_2_000001D1C9D2EC28
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D7BC18	15_2_000001D1C9D7BC18
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D73C20	15_2_000001D1C9D73C20
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9E06BD8	15_2_000001D1C9E06BD8
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D27BE0	15_2_000001D1C9D27BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D14F78	15_2_000001D1C9D14F78
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D13FA4	15_2_000001D1C9D13FA4
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D2AF50	15_2_000001D1C9D2AF50
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D11F60	15_2_000001D1C9D11F60
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D2FEF8	15_2_000001D1C9D2FEF8
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9E0AF00	15_2_000001D1C9E0AF00
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D2EEB4	15_2_000001D1C9D2EEB4
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D26EE4	15_2_000001D1C9D26EE4
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D86EF0	15_2_000001D1C9D86EF0
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9E06E98	15_2_000001D1C9E06E98
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D37E0A	15_2_000001D1C9D37E0A
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D80E28	15_2_000001D1C9D80E28
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D3FDC0	15_2_000001D1C9D3FDC0
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D38DBF	15_2_000001D1C9D38DBF
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000001D1C9D22DE0	15_2_000001D1C9D22DE0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB12D40	16_3_000002146DB12D40
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DC1FD88	16_3_000002146DC1FD88
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB74D58	16_3_000002146DB74D58
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB29C40	16_3_000002146DB29C40
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB2EC28	16_3_000002146DB2EC28
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB7BC18	16_3_000002146DB7BC18
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DC1BC8C	16_3_000002146DC1BC8C
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB73C20	16_3_000002146DB73C20
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DC18C28	16_3_000002146DC18C28
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DC06BD8	16_3_000002146DC06BD8
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB35C00	16_3_000002146DB35C00
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB27BE0	16_3_000002146DB27BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB2AF50	16_3_000002146DB2AF50
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB14F78	16_3_000002146DB14F78
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB11F60	16_3_000002146DB11F60
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB2EEB4	16_3_000002146DB2EEB4
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DC0AF00	16_3_000002146DC0AF00
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DC06E98	16_3_000002146DC06E98
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB2FEF8	16_3_000002146DB2FEF8
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB26EE4	16_3_000002146DB26EE4
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB86EF0	16_3_000002146DB86EF0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB80E28	16_3_000002146DB80E28
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB3FDC0	16_3_000002146DB3FDC0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB38DBF	16_3_000002146DB38DBF
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB37E0A	16_3_000002146DB37E0A
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB22DE0	16_3_000002146DB22DE0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB2E940	16_3_000002146DB2E940
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DBE5930	16_3_000002146DBE5930
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DBAC920	16_3_000002146DBAC920
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002146DB33990	16_3_000002146DB33990

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000002146DB60340 appears 62 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000014A192F0340 appears 62 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000001D1C9DDDCA8 appears 61 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000002181587DCA8 appears 61 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000001C53F89DCA8 appears 61 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000014A192F09B0 appears 184 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000018301F90340 appears 62 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000001C53F820340 appears 62 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000001B22C090340 appears 62 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000002146DBDDCA8 appears 61 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00000218158009B0 appears 184 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000021815800340 appears 62 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000018301F909B0 appears 184 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000001B22C10DCA8 appears 61 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000001830200DCA8 appears 61 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000001C53F8209B0 appears 184 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000001B22C0909B0 appears 184 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000001D1C9D60340 appears 62 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000014A1936DCA8 appears 61 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000001D1C9D609B0 appears 184 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000002146DB609B0 appears 184 times

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2496 -s 528

Source: classification engine

Classification label: mal60.evad.winDLL@24/17@0/0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4188:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2496
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5448

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\97f55fb0-bd8d-4371-8a5f-1f20fec0900f

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Loki.dll.dll,Finalize

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\Loki.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Loki.dll.dll,Finalize
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Loki.dll.dll,Initialize
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Loki.dll.dll,InitializeDataA
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2496 -s 528
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2496 -s 452
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",Finalize
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",Initialize
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",InitializeDataA
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",InitializeDataW
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5448 -s 516
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5448 -s 244
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Loki.dll.dll,Finalize	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Loki.dll.dll,Initialize	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Loki.dll.dll,InitializeDataA	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",Finalize	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",Initialize	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",InitializeDataA	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",InitializeDataW	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Loki.dll.dll

Static PE information: certificate valid

Source: Loki.dll.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: Loki.dll.dll

Static file information: File size 32211584 > 1048576

Source: Loki.dll.dll

Static PE information: Raw size of .M>L is bigger than: 0x100000 < 0x1eb3a00

Source: Loki.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF

Source:	Binary string: ws2_32.pdb source: rundll32.exe, 00000003.00000002.2274212830.0000021814F00000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2173625284.0000021813377000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2175820024.000002D681BA0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2173257832.000002D6FCCF9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3357460990.0000018301A50000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2221095074.000001837E357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.2438748996.0000014A18910000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2244967373.0000014A16D47000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2391206194.000001C53D2E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.2449540178.000001C53EE40000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357842818.000001D1C9380000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2392675504.000001D1C7847000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2391538126.000002146B547000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2555190256.000002146D070000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2393412606.000001B229AB7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2561529000.000001B22B590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: rundll32.exe, 00000003.00000003.2172586529.0000021814FB5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2175998543.000002D68216D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2172571112.000002D681A52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2220742215.0000018301B4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2243975595.0000014A188AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2437325258.0000014A193BD000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2396148768.000001C53F8ED000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2390583152.000001C53EDD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2390331760.000001D1C9315000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3358064086.000001D1C9E2D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2390614846.000002146D11F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2553128701.000002146DC2D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2559685319.000001B22C15D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2391390330.000001B22B645000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: rundll32.exe, 00000003.00000003.2172586529.0000021814FB5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2175998543.000002D68216D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2172571112.000002D681A52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2220742215.0000018301B4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2243975595.0000014A188AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2437325258.0000014A193BD000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2396148768.000001C53F8ED000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2390583152.000001C53EDD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2390331760.000001D1C9315000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3358064086.000001D1C9E2D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2390614846.000002146D11F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2553128701.000002146DC2D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2559685319.000001B22C15D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2391390330.000001B22B645000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: rundll32.exe, 00000003.00000003.2174285400.000002181337C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2274108990.00000218135CC000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2175713708.000002D6818BC000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2173418988.000002D6FCCFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225027482.000001837E35B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3357365604.00000183019AC000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2245188149.0000014A16D4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2437575985.0000014A186FC000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2391739274.000001C53D2EB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.2449648800.000001C53EEEC000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2393720762.000001D1C784B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357719592.000001D1C913C000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2392001418.000002146B54B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2553527917.000002146D00C000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2396232233.000001B229ABB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2559980410.000001B22B4BC000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: win32u.pdbGCTL source: rundll32.exe, 00000003.00000003.2174285400.000002181337C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2274108990.00000218135CC000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2175713708.000002D6818BC000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2173418988.000002D6FCCFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225027482.000001837E35B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3357365604.00000183019AC000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2245188149.0000014A16D4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2437575985.0000014A186FC000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2391739274.000001C53D2EB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.2449648800.000001C53EEEC000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2393720762.000001D1C784B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357719592.000001D1C913C000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2392001418.000002146B54B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2553527917.000002146D00C000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2396232233.000001B229ABB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2559980410.000001B22B4BC000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdbUGP source: rundll32.exe, 00000003.00000002.2274212830.0000021814F00000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2173625284.0000021813377000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2175820024.000002D681BA0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2173257832.000002D6FCCF9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3357460990.0000018301A50000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2221095074.000001837E357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.2438748996.0000014A18910000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2244967373.0000014A16D47000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2391206194.000001C53D2E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.2449540178.000001C53EE40000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357842818.000001D1C9380000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2392675504.000001D1C7847000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2391538126.000002146B547000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2555190256.000002146D070000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2393412606.000001B229AB7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2561529000.000001B22B590000.00000004.00001000.00020000.00000000.sdmp

Source: initial sample

Static PE information: section where entry point is pointing to: .M>L

Source: Loki.dll.dll	Static PE information: section name: .o:)
Source: Loki.dll.dll	Static PE information: section name: .Mj)
Source: Loki.dll.dll	Static PE information: section name: .zkV
Source: Loki.dll.dll	Static PE information: section name: .V{m
Source: Loki.dll.dll	Static PE information: section name: .n+\
Source: Loki.dll.dll	Static PE information: section name: .oSA
Source: Loki.dll.dll	Static PE information: section name: .M>L
Source: Loki.dll.dll	Static PE information: section name: .`E%
Source: Loki.dll.dll	Static PE information: section name: .3%X

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000DDB54FC1C8 push ecx; retf	0_2_000000DDB54FC229
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000DDB54FD818 push ecx; retf	0_2_000000DDB54FD8E9
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000DDB54FC22A pushfd ; ret	0_2_000000DDB54FC341
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000DB96FAEC3A push ecx; retf	4_2_000000DB96FAEDB9
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000DB96FADA72 push ecx; retf	4_2_000000DB96FADA79
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000DB96FAD99B push ecx; retf	4_2_000000DB96FAD9A9
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000DB96FADB9B push ecx; retf	4_2_000000DB96FADBA9
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000DB96FAE6E2 pushad ; retf	4_2_000000DB96FAE77F
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000DB96FAEBBB push ecx; retf	4_2_000000DB96FAEC39
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000DB96FADBC2 push ecx; retf	4_2_000000DB96FADBD9
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000018F658D4F8 push ecx; retf	9_2_00000018F658D4F9
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000018F658E232 pushad ; retf	9_2_00000018F658E2CF
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000018F658D2A8 push ecx; retf	9_2_00000018F658D2A9
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000018F658D5C8 push ecx; retf	9_2_00000018F658D5C9
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_00000018F658E70B push ecx; retf	9_2_00000018F658E789
Source: C:\Windows\System32\rundll32.exe	Code function: 14_2_00000070C567D7DA push ecx; retf	14_2_00000070C567D8A9
Source: C:\Windows\System32\rundll32.exe	Code function: 14_2_00000070C567D73B push ecx; retf	14_2_00000070C567D7D9
Source: C:\Windows\System32\rundll32.exe	Code function: 14_2_00000070C567D9DA push ecx; retf	14_2_00000070C567DA09
Source: C:\Windows\System32\rundll32.exe	Code function: 14_2_00000070C567D9CB push ecx; retf	14_2_00000070C567D9D9
Source: C:\Windows\System32\rundll32.exe	Code function: 14_2_00000070C567E9A8 push ecx; retf	14_2_00000070C567EED9
Source: C:\Windows\System32\rundll32.exe	Code function: 14_2_00000070C567E897 push ecx; retf	14_2_00000070C567EED9
Source: C:\Windows\System32\rundll32.exe	Code function: 14_2_00000070C567D522 push ecx; retf	14_2_00000070C567D589
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00000075CE97D80A push ecx; retf	16_2_00000075CE97DAB9
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00000075CE97D5E2 push ecx; retf	16_2_00000075CE97D639
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00000075CE97E5C2 pushad ; retf	16_2_00000075CE97E65F
Source: C:\Windows\System32\rundll32.exe	Code function: 17_2_000000856FBDD7CB push ecx; retf	17_2_000000856FBDD7D9
Source: C:\Windows\System32\rundll32.exe	Code function: 17_2_000000856FBDE762 pushad ; retf	17_2_000000856FBDE7FF
Source: C:\Windows\System32\rundll32.exe	Code function: 17_2_000000856FBDEE2B push ecx; retf	17_2_000000856FBDEE39
Source: C:\Windows\System32\rundll32.exe	Code function: 17_2_000000856FBDECB3 push ecx; retf	17_2_000000856FBDECB9
Source: C:\Windows\System32\rundll32.exe	Code function: 17_2_000000856FBDDC1B push ecx; retf	17_2_000000856FBDDC29
Source: C:\Windows\System32\rundll32.exe	Code function: 17_2_000000856FBDDAEB push ecx; retf	17_2_000000856FBDDAF9

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\System32\loaddll64.exe	Memory written: PID: 3416 base: 7FFDB4590008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Memory written: PID: 3416 base: 7FFDB442D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 2496 base: 7FFDB4590008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 2496 base: 7FFDB442D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 6092 base: 7FFDB4590008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 6092 base: 7FFDB442D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 1416 base: 7FFDB4590008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 1416 base: 7FFDB442D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 7120 base: 7FFDB4590008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 7120 base: 7FFDB442D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 5448 base: 7FFDB4590008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 5448 base: 7FFDB442D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 2188 base: 7FFDB4590008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 2188 base: 7FFDB442D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 6556 base: 7FFDB4590008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 6556 base: 7FFDB442D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 2100 base: 7FFDB4590008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 2100 base: 7FFDB442D9F0 value: E9 20 26 16 00	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 7FFD9128615B second address: 7FFD91286168 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 bt ebx, 10h 0x00000007 inc ecx 0x00000008 pop ebx 0x00000009 inc bp 0x0000000b cmp edi, eax 0x0000000d rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 7FFD912A8D2B second address: 7FFD912A8D96 instructions: 0x00000000 rdtsc 0x00000002 inc esp 0x00000003 movzx ecx, dx 0x00000006 mov eax, dword ptr [esp+00000100h] 0x0000000d mov dword ptr [esp+30h], eax 0x00000011 dec eax 0x00000012 movsx ecx, ax 0x00000015 jmp 00007FD534DB8AE5h 0x0000001a dec eax 0x0000001b mov eax, dword ptr [esp+000000F8h] 0x00000022 inc cx 0x00000024 not ecx 0x00000026 cdq 0x00000027 inc sp 0x00000029 cmovnle eax, eax 0x0000002c dec eax 0x0000002d mov dword ptr [esp+28h], eax 0x00000031 dec ebp 0x00000032 movzx ecx, si 0x00000035 dec eax 0x00000036 mov eax, dword ptr [esp+000000F0h] 0x0000003d jmp 00007FD534DB8AE8h 0x00000042 dec eax 0x00000043 mov dword ptr [esp+20h], eax 0x00000047 movsx ecx, di 0x0000004a movsx cx, dl 0x0000004e dec esp 0x0000004f mov ecx, dword ptr [esp+000000E8h] 0x00000056 inc bp 0x00000058 movsx eax, dl 0x0000005b inc ecx 0x0000005c mov al, 5Eh 0x0000005e cbw 0x00000060 dec esp 0x00000061 mov eax, dword ptr [esp+000000E0h] 0x00000068 rdtsc
Source: C:\Windows\System32\loaddll64.exe	RDTSC instruction interceptor: First address: 7FFD9128615B second address: 7FFD91286168 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 bt ebx, 10h 0x00000007 inc ecx 0x00000008 pop ebx 0x00000009 inc bp 0x0000000b cmp edi, eax 0x0000000d rdtsc

Source: C:\Windows\System32\rundll32.exe

Code function: 3_3_00000218157DF230 rdtsc

3_3_00000218157DF230

Source: C:\Windows\System32\rundll32.exe

Code function: 9_2_00000018F658C38B sgdt fword ptr [eax]

9_2_00000018F658C38B

Source: C:\Windows\System32\loaddll64.exe TID: 2788

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: rundll32.exe, 00000003.00000002.2273858332.0000021813310000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2175147566.000002D6FCCF9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2437510358.0000014A16D46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2437465179.0000014A16CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2423622751.000001C53D2E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2396463551.000001C53D280000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2553448464.000002146B546000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2553303212.000002146B4DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2559893572.000001B229AB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 3_3_00000218157DF230 rdtsc

3_3_00000218157DF230

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\System32\loaddll64.exe	NtUnmapViewOfSection: Direct from: 0x7FFD9317F883	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	NtProtectVirtualMemory: Direct from: 0x7FFD9317F8E7	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	NtMapViewOfSection: Direct from: 0x7FFD9317F8D9	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	NtProtectVirtualMemory: Indirect: 0x7FFD912BA147	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	NtProtectVirtualMemory: Direct from: 0x7FFD9317F924	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",#1

Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	31 Virtualization/Sandbox Evasion	1 Credential API Hooking	131 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Process Injection	11 Input Capture	1 Process Discovery	Remote Desktop Protocol	11 Input Capture	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Abuse Elevation Control Mechanism	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Loki.dll.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://myexternalip.com/rawOS=Wi	rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://icanhazip.com	rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://whatismyip.akamai.comly	rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://curl.se/docs/http-cookies.html	rundll32.exe, 00000003.00000002.2274684532.00007FFD8F65B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.3358585398.00007FFD8F65B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.3358598696.00007FFD8F65B000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://icanhazip.comPCespace	rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.myip.la	rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3357207513.0000001C3187D000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357213695.0000000A81EFC000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.myip.laxe_Numom	rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ipinfo.io/ipon	rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://myexternalip.com/rawITECT	rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://whatismyip.akamai.comNGmem	rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://myexternalip.com/raw6)=C:Mg#	rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.10.dr	false	URL Reputation: safe	unknown
https://curl.se/docs/alt-svc.html	rundll32.exe, 00000003.00000002.2274684532.00007FFD8F65B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.3358585398.00007FFD8F65B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.3358598696.00007FFD8F65B000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://api.ggn.live/api/configs/public-ip	rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://myexternalip.com/raw	rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://curl.se/docs/hsts.html	rundll32.exe, 00000003.00000002.2274684532.00007FFD8F65B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.3358585398.00007FFD8F65B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.3358598696.00007FFD8F65B000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://ipinfo.io/ipData	rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://icanhazip.comonUsers	rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://whatismyip.akamai.comem1.	rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://whatismyip.akamai.comemILhg	rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.myip.la07ilesCoNg	rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.ggn.live/api/configs/public-ip85P	rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.myip.laq	rundll32.exe, 00000006.00000002.3357207513.0000001C3187D000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357213695.0000000A81EFC000.00000004.00000010.00020000.00000000.sdmp	false		unknown
https://ipinfo.io/ipE=ALD64umCo	rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.myip.la6)	rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ipinfo.io/iplRINGmS;.g	rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://icanhazip.coms(x86)=C:	rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://whatismyip.akamai.com	rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://icanhazip.comamespacezg	rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.myip.lall	rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ipinfo.io/ip	rundll32.exe, 00000006.00000002.3358098892.000001837E2C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.3357407509.000001D1C77B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528326
Start date and time:	2024-10-07 19:31:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Loki.dll.dll (renamed file extension from exe to dll)
Original Sample Name:	Loki.dll.exe
Detection:	MAL
Classification:	mal60.evad.winDLL@24/17@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 200

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22, 104.208.16.94, 52.182.143.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Execution Graph export aborted for target loaddll64.exe, PID 3416 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 1416 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 2100 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 2188 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 2496 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 5448 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 6092 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 6556 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 7120 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: Loki.dll.dll

Simulations

Behavior and APIs

Time	Type	Description
13:32:20	API Interceptor	4x Sleep call for process: WerFault.exe modified
13:32:21	API Interceptor	1x Sleep call for process: loaddll64.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Lok_854b105fcaad69833d11c726c849e131e599a12_f58d6082_9dba2821-f4e0-4848-8ddd-18ed2f9dbbed\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8463164799864327
Encrypted:	false
SSDEEP:	192:2QWi4yJe0BgLbkXj3gzuiFaZ24lO81fS:3WiVJFBIkXjwzuiFaY4lO81f
MD5:	6EB8C5C9DB82560F96AD5A3D345B569E
SHA1:	C30794260D85F7F0ED192AD1F68CDD06C0777689
SHA-256:	4F3C806401E1A6FC1A57EE4466F7806CDA47D06C1E7AD21D2FA7826AF0E67477
SHA-512:	DB7B98834A8672AE556677E8B52C4FEA6A18265D5FFFECF1609AACEAA59D86DD7E84FF35D0E17B5D050A545537DEF78F6FFD97F69F69815B7717016FC808ADF3
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.7.9.5.9.3.2.8.0.5.6.2.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.7.9.5.9.3.7.8.2.1.2.5.9.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.b.a.2.8.2.1.-.f.4.e.0.-.4.8.4.8.-.8.d.d.d.-.1.8.e.d.2.f.9.d.b.b.e.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.6.5.5.9.7.b.a.-.c.8.d.7.-.4.c.4.d.-.a.b.1.4.-.b.2.5.6.4.1.9.3.f.2.8.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.L.o.k.i...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.c.0.-.0.0.0.1.-.0.0.1.5.-.9.b.1.9.-.e.6.d.3.d.e.1.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Lok_854b105fcaad69833d11c726c849e131e599a12_f58d6082_c9cac7d9-4b98-4bd9-b74c-cc2857da2bb9\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7608189979403657
Encrypted:	false
SSDEEP:	192:3P0pUiNyne0pa5Qj0AzuiFaZ24lO81fS:ji4nFpa5QjLzuiFaY4lO81f
MD5:	DFAAC4594D258FADBBE9D07C560401F1
SHA1:	8D59FA1EBA11916750F200859E788AB45BA0969F
SHA-256:	1F295856607B456437BB513E0D7AC60342C852CC75162A5C7033B27D5AEF91D3
SHA-512:	C85BDDDC5D132F4DE0E14081808AB72EFE94C7464FE8E91CD30D74ADB1979618CA8AB8BEF5E1F67C687FE900CA35B6A0C7C38A69E7CB7A24D43E325876BBEE47
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.7.9.5.9.5.6.1.4.2.4.6.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.7.9.5.9.5.6.5.0.1.8.4.9.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.9.c.a.c.7.d.9.-.4.b.9.8.-.4.b.d.9.-.b.7.4.c.-.c.c.2.8.5.7.d.a.2.b.b.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.f.e.a.c.2.9.1.-.8.a.3.7.-.4.8.b.2.-.a.8.0.4.-.9.0.e.9.9.6.5.d.c.5.4.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.L.o.k.i...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.4.8.-.0.0.0.1.-.0.0.1.5.-.f.d.5.4.-.6.e.d.d.d.e.1.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Lok_b782053f3f0ac26fd43d6671732ad0e6807ab3_f58d6082_22c71449-6dc8-4223-a80a-d0c15493f78c\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8455834479874422
Encrypted:	false
SSDEEP:	96:bE84i4yKyJsj74Rv1y/fpQXIDcQ4c6fcE+cw3vXaXz+HbHgSQgJjgh88Wpoxm9nK:wji4yJ70WbkLj3gzuiFaZ24lO81fS
MD5:	D2FDAEAD8AE1F773A138EEC837307D57
SHA1:	BF2BF640862789DFEFEFF85E048D6EE48D7F9FE7
SHA-256:	714CBDE46655BA09762C1B4B4D1C3B60FB79562E3CDA4DEAEC2F5584C94244DF
SHA-512:	0AB0F257E19F7318050ECB626472D4005DCDE70B92C3E35C280D0122C79148E4A5EE65C6675A09EEB310746C495374F4C43E40AE48B73A2DE05A1C0F22C94605
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.7.9.5.9.4.1.5.9.1.3.5.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.7.9.5.9.4.6.4.6.6.3.4.9.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.c.7.1.4.4.9.-.6.d.c.8.-.4.2.2.3.-.a.8.0.a.-.d.0.c.1.5.4.9.3.f.7.8.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.2.7.d.a.8.a.3.-.6.5.8.0.-.4.3.6.6.-.9.6.c.6.-.4.3.b.c.4.8.6.e.8.3.e.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.L.o.k.i...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.c.0.-.0.0.0.1.-.0.0.1.5.-.9.b.1.9.-.e.6.d.3.d.e.1.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Lok_b782053f3f0ac26fd43d6671732ad0e6807ab3_f58d6082_da67ddd5-614b-47ce-8b09-19e1b07a4e36\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8079095678449582
Encrypted:	false
SSDEEP:	192:NtMiNyQ70VOLWrjQOzuiFaZ24lO81fSP:Ui4QIV8WrjRzuiFaY4lO81f
MD5:	40A9EE983AF6C37F717C04AD49086E45
SHA1:	74505029E9D853C677E579CCB3B29ABBE805142A
SHA-256:	918D71B2E7398ABB882D77453132355E862E5674CD865ADAD4FD620AD02C2593
SHA-512:	5ADF6B7681193A5C365DB0EE27F946EE4CD4F60B5D56B194E7D711EAF4DD5F32996668C2D5118E34DFE7D451DF0AD1E4BA332C537571042DF88397FFED01C210
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.7.9.5.9.5.3.2.8.6.7.2.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.7.9.5.9.5.3.7.5.5.4.9.4.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.a.6.7.d.d.d.5.-.6.1.4.b.-.4.7.c.e.-.8.b.0.9.-.1.9.e.1.b.0.7.a.4.e.3.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.7.1.8.3.3.3.6.-.2.c.6.1.-.4.5.1.e.-.a.c.f.b.-.b.3.4.7.a.c.5.7.8.b.b.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.L.o.k.i...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.4.8.-.0.0.0.1.-.0.0.1.5.-.f.d.5.4.-.6.e.d.d.d.e.1.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER66B2.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Oct 7 17:32:15 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	627886
Entropy (8bit):	1.437300041696871
Encrypted:	false
SSDEEP:	768:nwX9Rk+i8uGgNwB6OVYkNgEvFIxkQoreRy+Gg8Ul9chdN/3MJrNoByIvA9aK3hcI:smR5hfYj0cGCuAkfeDw
MD5:	104FE1ACB30AECD65502B7C3810F3922
SHA1:	88886ADDDDCEC5D6AAC10FA850B38F542863C698
SHA-256:	A7422D680826EEE1B90DD2C1CAA7BD4DEFD0859214C1EC62E91C78806467D7E4
SHA-512:	74B003714E7C1FC1F690B6A537D8B48843415E509DE2BC5FC6846961A75B23AF914B88BC53C000F302FEC77F9E69D521633D203C240C4E2B1C7591E1EEAC8888
Malicious:	false
Preview:	MDMP..a..... ..........g............T...........\...h.......$...........t....C..........`.......8...........T.......................................................................................................................eJ......l.......Lw......................T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7401.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9018
Entropy (8bit):	3.7062297126921697
Encrypted:	false
SSDEEP:	192:R6l7wVeJ0j6i6YhD1ygmftiVyLXpDF89bQlMffwm:R6lXJO6i6Yl1ygmftiVhQ+fd
MD5:	6AAFBDEBC34CAB543DB0849C511F640B
SHA1:	724DFF48275C1D5EEB1E5721D0C5A888DB53EA38
SHA-256:	597E1CC7AF0E9F91DFE011EBF8BFB6A590FA05993D6231D90144A3D5E797DE22
SHA-512:	3F3965B9080A9DAD5B2B7C50EE7E75C8F3355146A45F7C317BCE68309EC985A6F30EA4D254ABE9DC829C670D4A2087B0AE1D1B3E8906751B074B45AD83F0C711
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.4.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER749E.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4754
Entropy (8bit):	4.48129922883886
Encrypted:	false
SSDEEP:	48:cvIwWl8zs5Jg771I983WpW8VYFYm8M4JC7+C7MmFp9yq85m7r6ptSTS0d:uIjfLI7zG7VZJU9UpoO0d
MD5:	297CF65EF8014A541C3B2724620058F3
SHA1:	867EC62555344D67CF793661CD076F01EDA9FA88
SHA-256:	02A872373082D61AC382967B5BCC0E5EF0C727076E7389EFB1620C3758EFA8B9
SHA-512:	3A611A81F47E3170C697720851AC70F4EE02BCAFB407F4818AC9BB75C3CD64ACC92CFD1CFC80B1E8F7CCD7E64682E20ED2557A3A1B4F0B3BE767DA774455EAF3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="533314" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER88FF.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Oct 7 17:32:21 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	20144
Entropy (8bit):	2.7259653063962035
Encrypted:	false
SSDEEP:	96:5f8i+yU6lSBizuWDQZXVLRdqaJThcWSQbY7oi7Mk7nkYYFJ+Fj7lPIrJWIfPIBD+:iWlQZVIQLOMIk1FJQj7lQvb28VVyKnU
MD5:	AE4DA17ACAC2D68E3BB564928BE4C1F5
SHA1:	38237817F33AE4FD19EB6E389DD2C2DA29A24161
SHA-256:	F8A032C31C86621642AA0413EBB73601E61577F2633683517454C5CDE81A6234
SHA-512:	F3B6A543D74E0AB6830E17B36723D564F404664EB7DB6CB5AB07C9B86B33C5CFE79291874DB6ECD7C01F992A5B7CBC7D82E780E181EC60486B76AD062A7237B6
Malicious:	false
Preview:	MDMP..a..... .......%..g............4...........\...H.......$...........d....%..........`.......8...........T................:......................................................................................................eJ......L.......Lw......................T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B03.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9030
Entropy (8bit):	3.6960916294535875
Encrypted:	false
SSDEEP:	192:R6l7wVeJ0rIF6YhiCgmftiWGprRf89bnd+fstm:R6lXJoo6YkCgmftiWggn0f7
MD5:	2B7A9B193F9516548D0430F34D5C1289
SHA1:	AB8B5E46E0F2B4008B9F1DA5B9861E5F52B53260
SHA-256:	902F38AC271F2F6191C9D767821352C867FA8683769DFFFA9CFC898283212378
SHA-512:	745C4E8000F30162E91AF7413C8F47A3BC561FFDD1BE6857ED4104912A31FA0DE737AAF38BE619BAE243B4043D71FE6D628F9C5142D9A5C907B4C078355D7391
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.4.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8BC0.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4754
Entropy (8bit):	4.48025809408428
Encrypted:	false
SSDEEP:	48:cvIwWl8zsDuJg771I983WpW8VYRYm8M4JC7+C7MfFhyq85m7rjptSTS0d:uIjfDkI7zG7VtJT9poO0d
MD5:	891F6A9798308B3B32A7BBE44CEA8E2B
SHA1:	3937904864C68FDCBBA79FA9BD4591717FAFA65A
SHA-256:	00FB452D77829C0A4FF406DE150735C8D3E92A91F6BBF5D4EE14A843E074D9BB
SHA-512:	9E7597165C0DAAFB1E2E69DF73C9530BE5E9063E26AC074BC624429187AA66F70947F6990B5F0105D201D99831FC0720124A4A0687CD0DD7E14FFC90D3EFE6F4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="533315" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6B6.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Oct 7 17:32:33 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	96780
Entropy (8bit):	1.5158113738676373
Encrypted:	false
SSDEEP:	384:vojLKCPkrONsGC4M34zmoRmnUEJC2WeEKCzJp:AjmCPEONNmoR6JC2WU0Jp
MD5:	7D2024C269114839EB643D4BD921A742
SHA1:	A7E10CEE0D506B2F2B7AEF8B1F87699C2B22BB2F
SHA-256:	72393584F2A1C508F93C47C69B8000E5B7368AC9B708721C3FD00995102FE385
SHA-512:	4F71E54743C93AC28E8F484C3D4FC78C5949AC2FE6F8D2E7FD31583F4336538BBE45F6F7A4CA6F517B605A48A6413BEA1DF6A1D1DB04AE49738FA1EF01018CE3
Malicious:	false
Preview:	MDMP..a..... .......1..g............$...........@...8...........x.......D....=..........`.......8...........T...........@....h..........t...........`...............................................................................eJ..............Lw......................T.......H...%..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB744.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8740
Entropy (8bit):	3.7027167625020785
Encrypted:	false
SSDEEP:	192:R6l7wVeJQBgD6YKz9ZgmftiWN1MBprO89b/HdfV1m:R6lXJmgD6YezgmftiWN1i/9fW
MD5:	6F4E6403AB5031AF26F494CDA99D4603
SHA1:	1407EFEF5A48D45C0AE3C0C5105730E13ACFAF16
SHA-256:	49FC2769F9AF9FB7A4B420E01D45813C2C4DB0CA544582AC82A914A8A802A671
SHA-512:	9F36F941D82C8A7E191A1C456604CAAB61E2F3DF80764F0E35A2694FD220327E1558284DAA814925D41CF4DF74710D11E2DEEDAEE4C411C8EAE067FAC0789822
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB7A2.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4753
Entropy (8bit):	4.48372118681608
Encrypted:	false
SSDEEP:	48:cvIwWl8zsDuJg771I983WpW8VYjYm8M4JC7+C7MfFcByq85m7r0ptSTSvd:uIjfDkI7zG7V7J6BupoOvd
MD5:	C3105C6E760140A99EE218B43EA617EE
SHA1:	FBDFBA239034597575840B2B146712A9AB43F65F
SHA-256:	C9F09A9EE211FD9A0205BD1F140F72F97E121259BCA246EF12953D894EEF12AE
SHA-512:	71935B7A8C2C54B0D364250ABF1F71D55A6C920AF3B2D8626E4DC07BC6E157833EBF1225B35C24AE8ECC72A90520A12E46EC273B0DC02AB3C2D47C98B38BE366
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="533315" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1C2.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Oct 7 17:32:36 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	189080
Entropy (8bit):	1.5180158824810486
Encrypted:	false
SSDEEP:	768:a8E0HjW7tbAtvhpFu9rptKdWSaSfQUT82CuSZ6+P/oEZJGGj:aFxMVhDCdUwJUTTVSh/oEfGGj
MD5:	5D848AF3069ECE4D45426ABC7287E4DD
SHA1:	A6E0CBEA7216E59843C9A06F27062B6FC642614F
SHA-256:	6F11FB4F1573DE791D157C019990AB67ECBC156DFFF01AD5817ACEA7CCF4C3E0
SHA-512:	A44F19250A87C6573EB0E82AAC0C2073AC628D1922D690F59B9D8F914BE7404F02E767945D8BCEA58BF35D63AA5DC3D8713C9C120B369EE8DF76111273C853CF
Malicious:	false
Preview:	MDMP..a..... .......4..g............$...........L...8...................T...x;..........`.......8...........T...........8...`.......................................................................................................eJ..............Lw......................T.......H...%..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC25F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8988
Entropy (8bit):	3.7067754410513314
Encrypted:	false
SSDEEP:	192:R6l7wVeJQdEun6YKY9ZgmftiVUpDa89bSHLf+0Gmm:R6lXJ6Eu6YlzgmftiV6SrfQ
MD5:	000B474AAF19BB3064B9E9ED3BB88FB5
SHA1:	694729EAF8F03E86403922B44AF1064499DFB539
SHA-256:	9E8451E08EC37F003D0EE8C435E41AB6686E2755F5BC38572CD451D8B599BB0B
SHA-512:	B9049B65415279895E5A4937E26B3FD2264401D5B017AA35E9F611165A0AD40DB6CBB4FCF75458A1CA9BBBAE816EC313994711625358BC4A4894C9F1B87413E6
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC28F.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4754
Entropy (8bit):	4.481566605272552
Encrypted:	false
SSDEEP:	48:cvIwWl8zsDuJg771I983WpW8VYAYm8M4JC7+C7MmF2yq85m7rtptSTSQd:uIjfDkI7zG7VUJtfpoOQd
MD5:	9C1271975854A4B39D58203194329FCC
SHA1:	207F7E5D7713B63B9413C504DD1EB060A5B5F4DB
SHA-256:	36E6E733FDD220C3AA3B9CD62788139F5DA520789EF0ED5194F04527A4C7301A
SHA-512:	96FBF95617269AF696D343CC51C681641E93ECF8DF71CF790B4352C50F9F21F6A70DE2C8AF00B41D280D887C555FEEDB32902846BE513AC3E94BBDE21DF2A869
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="533315" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469536401525981
Encrypted:	false
SSDEEP:	6144:wzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNMjDH5S:mZHtYZWOKnMM6bFpaj4
MD5:	665EACECA4F041256720ACC3E1468B43
SHA1:	B44FB509B91FED44D267563AFFAAF351EA8A934C
SHA-256:	EE71D4F54008B625C8441DB53D13CB4BADFBFBF59F623D6598923E41197D6877
SHA-512:	E97F1D07E995302012217A9496732389D650B9A54419F5DC7339A078DF853D8A468A2693AAB4E8A74C298A1341E51B63B10ACAA63F50A784610F1A278E7BC2C6
Malicious:	false
Preview:	regfK...K....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....................................................................................................................................................................................................................................................................................................................................................z...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	7.995096199762527
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	Loki.dll.dll
File size:	32'211'584 bytes
MD5:	00011cf661d1611ff66531a71269a5de
SHA1:	58728362d2e3f8ebde3f8b8d145e6b25b353abfc
SHA256:	0911a1db0d352180f12241c3854af928c8c6089664710e427244c05ca43be097
SHA512:	34de38f62fc3797293b61f1d1404584fe38f22c62fbd1026cda106e130329fc464396016c0dbf5327a8051543603ecca48388739c2524adaed7219abba888876
SSDEEP:	786432:+yId1hp2IA/WL6HyO7R5FmWWtuCmyhgUVD/EHBbyoYzLkx6Mc:bIdfp2Il0yO4P31EHB6zBL
TLSH:	5F6733BE511833ACC45E4878D423AC49B7F9861D8BBAD8D670CBBF90BFE74209905E45
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....U.f.........." ...(.....N............................................................`A...............................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x1839eefd5
Entrypoint Section:	.M>L
Digitally signed:	true
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Time Stamp:	0x668B558C [Mon Jul 8 02:57:16 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	4735ffff3e56a13039b671a545227ddc

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	12/01/2024 01:00:00 12/01/2027 00:59:59
Subject Chain	CN=NSUS Limited, O=NSUS Limited, L=Dublin, C=IE, SERIALNUMBER=580602, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE
Version:	3
Thumbprint MD5:	948329649B2FF50E072406E400D38E2A
Thumbprint SHA-1:	7A70431858647F992AFF26D57A7D1B1D9961A0E1
Thumbprint SHA-256:	CB56916F61C496CFF751C9552BA8EEF834851019DA3ABB6BE6C42EFF5E42DB2B
Serial:	0F5347B8F6E27D7E8D5ED17B1C0A14A4

Entrypoint Preview

Instruction
push A9FE47F8h
call 00007FD5359868DDh
retf
mov eax, 8F590B5Ah
inc esp
mov eax, dword ptr [A94F0C5Bh]
adc al, 64h
cmp al, 29h
pop es
mov dl, 97h
cmp bl, byte ptr [esi-1384A2BEh]
adc ebp, dword ptr [eax-51A0DA65h]
inc ebp
sbb byte ptr [edi+esi*8+03h], bl
insd
aad 75h
sahf
cmp eax, dword ptr [edi+esi*8-29670153h]
test dword ptr [ebp+5B26937Bh], A66B83F9h
in al, 01h
pop ds
sti
dec eax
movsb
lodsb
out 16h, eax
std
wait
test eax, 2A685BB8h
jbe 00007FD53571D9CFh
mov ah, 84h
hlt
out ACh, al
inc ecx
jne 00007FD53571D9FAh
adc dword ptr [edi-7B4348CCh], ebp
sub ah, byte ptr [086D8476h]
add eax, 5EEE73D1h
jbe 00007FD53571DA16h
mov dword ptr [ecx], edx
mov eax, dword ptr [904B7C97h]
std
mov cl, F5h
mov esp, 18F33527h
aam A1h
int3
cmp ebp, dword ptr [ebx+47h]
add bl, byte ptr [ebx]
lodsd
or dword ptr [edi-62h], 61A16753h
mov byte ptr [edi+ecx*4+3245E6FDh], FFFFFFB7h
int3
push ss
push es
scasb
xlatb
fld dword ptr [edx]
mov esp, AEF55C18h
inc ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x39e0e00	0xbd	.M>L
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b34530	0x1b8	.M>L
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3cdb000	0x3e1	.3%X
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x3cc5690	0x142ec	.M>L
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1eb5400	0x2e80	.M>L
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3cda000	0xe4	.`E%
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x3b1cae0	0x28	.M>L
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3cc1d90	0x140	.M>L
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1e25000	0x1a0	.oSA
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.o:)	0x1000	0x199630	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.Mj)	0x19b000	0xb7344	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.zkV	0x253000	0x8f00	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.V{m	0x25c000	0x11184	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.n+\	0x26e000	0x1bb64cd	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.oSA	0x1e25000	0xfe0	0x1000	a398eac6ab3230f46a5005ec15f37a76	False	0.043701171875	data	0.3449804503657124	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.M>L	0x1e26000	0x1eb397c	0x1eb3a00	8fa1927cf3a5fe44e942efe3d8a358a6	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.`E%	0x3cda000	0xe4	0x200	c02b8e39e8891129e9c58ac3fed86baa	False	0.359375	GLS_BINARY_LSB_FIRST	2.3678422783799595	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.3%X	0x3cdb000	0x3e1	0x400	308356099c5997f24acb264b2f3a4ef0	False	0.4951171875	data	3.690397360897425	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3cdb0a0	0x2b0	data	English	United States	0.48546511627906974
RT_MANIFEST	0x3cdb350	0x91	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.8689655172413793

Imports

DLL	Import
ntdll.dll	VerSetConditionMask
KERNEL32.dll	HeapFree
USER32.dll	CallWindowProcW
GDI32.dll	DeleteObject
ADVAPI32.dll	CryptDestroyHash
SHELL32.dll	CommandLineToArgvW
ole32.dll	CoCreateInstance
OLEAUT32.dll	SysAllocString
IPHLPAPI.DLL	GetAdaptersInfo
WININET.dll	InternetSetOptionA
WTSAPI32.dll	WTSEnumerateSessionsExA
WS2_32.dll	accept
CRYPT32.dll	CertGetCertificateChain
SHLWAPI.dll	StrStrIW
VERSION.dll	VerQueryValueW
FLTLIB.DLL	FilterGetDosName
bcrypt.dll	BCryptHashData
WLDAP32.dll
KERNEL32.dll	GetVersion
USER32.dll	CharUpperBuffW
KERNEL32.dll	LocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, LoadLibraryA, GetModuleHandleA, GetProcAddress

Exports

Name	Ordinal	Address
Finalize	11	0x18008da10
Initialize	12	0x18008da00
InitializeDataA	13	0x18008d9c0
InitializeDataW	14	0x18008d9e0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	13:32:05
Start date:	07/10/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\Loki.dll.dll"
Imagebase:	0x7ff69e450000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:32:05
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:32:05
Start date:	07/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",#1
Imagebase:	0x7ff7dbed0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:32:05
Start date:	07/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\Loki.dll.dll,Finalize
Imagebase:	0x7ff617cb0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:32:05
Start date:	07/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",#1
Imagebase:	0x7ff617cb0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:32:08
Start date:	07/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\Loki.dll.dll,Initialize
Imagebase:	0x7ff617cb0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	13:32:11
Start date:	07/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\Loki.dll.dll,InitializeDataA
Imagebase:	0x7ff617cb0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:32:12
Start date:	07/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2496 -s 528
Imagebase:	0x7ff6d4f60000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:32:21
Start date:	07/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2496 -s 452
Imagebase:	0x7ff6d4f60000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:32:21
Start date:	07/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",Finalize
Imagebase:	0x7ff617cb0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:32:21
Start date:	07/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",Initialize
Imagebase:	0x7ff617cb0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	13:32:21
Start date:	07/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",InitializeDataA
Imagebase:	0x7ff617cb0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:32:21
Start date:	07/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\Loki.dll.dll",InitializeDataW
Imagebase:	0x7ff617cb0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:32:33
Start date:	07/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5448 -s 516
Imagebase:	0x7ff6d4f60000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	13:32:36
Start date:	07/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5448 -s 244
Imagebase:	0x7ff6d4f60000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 000002181584C920 Relevance: 37.7, Strings: 30, Instructions: 239COMMON

Download Yara Rule

Strings

The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 00000218158B0BA6
The resource is owned exclusively by thread %p, xrefs: 00000218158B0C11
*** enter .exr %p for the exception record, xrefs: 00000218158B0DE5
*** Resource timeout (%p) in %ws:%s, xrefs: 00000218158B0BE5
*** Inpage error in %ws:%s, xrefs: 00000218158B0CCB
an invalid address, %p, xrefs: 00000218158B0DBB
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 00000218158B0C81
*** enter .cxr %p for the context, xrefs: 00000218158B0E04
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 00000218158B0B96
*** A stack buffer overrun occurred in %ws:%s, xrefs: 00000218158B0B78
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 00000218158B0D44
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 00000218158B0C33
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 00000218158B0D59
*** then kb to get the faulting stack, xrefs: 00000218158B0E14
write to, xrefs: 00000218158B0D87
<unknown>, xrefs: 00000218158B0AF9
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 00000218158B0D50
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 00000218158B0B86
The resource is owned shared by %d threads, xrefs: 00000218158B0C23
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 00000218158B0B5D
The critical section is owned by thread %p., xrefs: 00000218158B0C68
a NULL pointer, xrefs: 00000218158B0DCD
Go determine why that thread has not released the critical section., xrefs: 00000218158B0C76
read from, xrefs: 00000218158B0D80
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 00000218158B0C49
This failed because of error %Ix., xrefs: 00000218158B0D05
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 00000218158B0E3F
The instruction at %p tried to %s , xrefs: 00000218158B0D9F
*** An Access Violation occurred in %ws:%s, xrefs: 00000218158B0D6A
The instruction at %p referenced memory at %p., xrefs: 00000218158B0CEE

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: b382d40916eae78fb322a776e024020a4f6379aa4851f00f97a9faaa9c442b5d
Instruction ID: b3736ecd51f6807a844ebce09cdcd1583d0da49fc603f0255e781068e7596082
Opcode Fuzzy Hash: b382d40916eae78fb322a776e024020a4f6379aa4851f00f97a9faaa9c442b5d
Instruction Fuzzy Hash: F3B18F73200A44E6E714DB51A8D8AEB33E5F7AA748F864526AE4D1B6D5DF38C647C300

Function 000002181581BC18 Relevance: 17.7, Strings: 14, Instructions: 217COMMON

Download Yara Rule

Strings

SE_LdrResolveDllName, xrefs: 000002181581BDD0
ApphelpCheckModule, xrefs: 000002181581BE3A
SE_LdrEntryRemoved, xrefs: 000002181581BD66
SE_DllLoaded, xrefs: 000002181581BCFC
SE_ShimDllLoaded, xrefs: 000002181581BC5D
SE_ProcessDying, xrefs: 000002181581BD9B
SE_InstallBeforeInit, xrefs: 000002181581BC92
SE_InitializeEngine, xrefs: 000002181581BC26
SE_InstallAfterInit, xrefs: 000002181581BCC7
LdrpGetShimEngineInterface, xrefs: 0000021815870028
Could not locate procedure "%s" in the shim user DLL, xrefs: 000002181587003B
SE_DllUnloaded, xrefs: 000002181581BD31
SE_GetProcAddressForCaller, xrefs: 000002181581BE05
minkernel\ntdll\ldrinit.c, xrefs: 0000021815870034

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim user DLL$LdrpGetShimuserInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_Initializeuser$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$minkernel\ntdll\ldrinit.c
API String ID: 0-1094803608
Opcode ID: 7fa8ce1c2e0970e1d448a219135c5cfc8aa92bc7a7c9598b19bf9368ff82cbcd
Instruction ID: af50881fd869c6a3c57bd80b1fe34ddc0630dfaa1616100cf544d2d4b88b18ad
Opcode Fuzzy Hash: 7fa8ce1c2e0970e1d448a219135c5cfc8aa92bc7a7c9598b19bf9368ff82cbcd
Instruction Fuzzy Hash: 26A19E73710A56AAFB00DB78E8D57DA27F1E76A358F802512AE0D87AA9DF34C047C740

Function 00000218157C2DE0 Relevance: 15.3, Strings: 12, Instructions: 334COMMON

Download Yara Rule

Strings

SXS: %s() - caller asked to use active activation context but passed %p, xrefs: 00000218157C3190
SXS: %s() - Caller asked to use activation context from address in .dll but passed NULL, xrefs: 00000218157C3161
SXS: %s() - Caller passed invalid address, not in any .dll (%p), xrefs: 00000218157C31E8
RtlQueryInformationActivationContext, xrefs: 00000218157C2FEB, 00000218157C308E, 00000218157C30FE, 00000218157C311D, 00000218157C313F, 00000218157C3171, 00000218157C3189, 00000218157C31E1, 00000218157C3260, 00000218157C3299
SXS: %s() - Caller passed meaningless flags/class combination (0x%08lx/0x%08lx), xrefs: 00000218157C3095
SXS: %s() - Caller passed invalid flags (0x%08lx), xrefs: 00000218157C3105
SXS: %s() - caller supplied no buffer to populate and no place to return required byte count, xrefs: 00000218157C2FF2
SXS: %s() - internal coding error; missing switch statement branch for InfoClass == %lu, xrefs: 00000218157C32A0
SXS: %s() - caller passed nonzero buffer length but NULL buffer pointer, xrefs: 00000218157C3146
SXS: %s() - caller asked for unknown information class %lu, xrefs: 00000218157C3124
SXS: %s() - Caller passed invalid hmodule (%p), xrefs: 00000218157C3267
SXS: %s() - Caller asked to use activation context from hmodule but passed NULL, xrefs: 00000218157C316A

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: RtlQueryInformationActivationContext$SXS: %s() - Caller asked to use activation context from address in .dll but passed NULL$SXS: %s() - Caller asked to use activation context from hmodule but passed NULL$SXS: %s() - Caller passed invalid address, not in any .dll (%p)$SXS: %s() - Caller passed invalid flags (0x%08lx)$SXS: %s() - Caller passed invalid hmodule (%p)$SXS: %s() - Caller passed meaningless flags/class combination (0x%08lx/0x%08lx)$SXS: %s() - caller asked for unknown information class %lu$SXS: %s() - caller asked to use active activation context but passed %p$SXS: %s() - caller passed nonzero buffer length but NULL buffer pointer$SXS: %s() - caller supplied no buffer to populate and no place to return required byte count$SXS: %s() - internal coding error; missing switch statement branch for InfoClass == %lu
API String ID: 0-3344358112
Opcode ID: 3ff5508455042caa0a8fe042038ba14f8e077a5de2355db3dee3dbaabdd423cb
Instruction ID: a0f3044ff393012b02d3285c74d3d18aaee9fb676563102534ba8621f8002b97
Opcode Fuzzy Hash: 3ff5508455042caa0a8fe042038ba14f8e077a5de2355db3dee3dbaabdd423cb
Instruction Fuzzy Hash: 5FE10473204B82A6E765CB15A4E9BEA73E0F767788F404526DE8E47A95CF38C647C700

Function 00000218157C7BE0 Relevance: 15.2, Strings: 11, Instructions: 1424COMMON

Download Yara Rule

Strings

0, xrefs: 00000218157C7E25
DLL %wZ was redirected to %wZ by %s, xrefs: 00000218157C9071
minkernel\ntdll\ldrutil.c, xrefs: 00000218157C908F, 00000218157C9136
API set, xrefs: 00000218157C9044
LdrpPreprocessDllName, xrefs: 00000218157C9083, 00000218157C912A
H, xrefs: 00000218157C7DB8
minkernel\ntdll\ldrmap.c, xrefs: 00000218157C938C
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 00000218157C911B
Found circular dependent DLL: "%wZ" that failed to load previously, ModuleState: %d, xrefs: 00000218157C9371
SxS, xrefs: 00000218157C903D
LdrpFindOrPrepareLoadingModule, xrefs: 00000218157C9380

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: 0$API set$DLL %wZ was redirected to %wZ by %s$Found circular dependent DLL: "%wZ" that failed to load previously, ModuleState: %d$H$LdrpFindOrPrepareLoadingModule$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrmap.c$minkernel\ntdll\ldrutil.c
API String ID: 0-1685226127
Opcode ID: 1c9491154642ab49ab2f9cf2ad3ab0666a16444924e9bba2b065fb512b0bc86d
Instruction ID: 0a174e40e482539b25c5f2babca07138bca3d42c3102ac78a39888698b15b33c
Opcode Fuzzy Hash: 1c9491154642ab49ab2f9cf2ad3ab0666a16444924e9bba2b065fb512b0bc86d
Instruction Fuzzy Hash: E6E29D73208BD295E7708B15E4A93EEB3E1F7A67A4F144529DA8D47B99DF38C442CB00

Function 0000021815822590 Relevance: 14.1, Strings: 11, Instructions: 387COMMON

Download Yara Rule

Strings

SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 000002181587163C
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 000002181587176E
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 0000021815871698
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 0000021815871716
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 0000021815871604
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 000002181587155E
!, xrefs: 000002181582293A
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 0000021815871737
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 00000218158716C2
RtlpResolveAssemblyStorageMapEntry, xrefs: 000002181587175B
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 00000218158716E0

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: !$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-2172119191
Opcode ID: e6d02611bf700dc5259ab5be9d1dee7d1cd20074aa457e0abfdaf2fdfbb6fa94
Instruction ID: 1cdee7ae1a02665814186d6748157d6a50557a08292e6017ea5b37d50a68af96
Opcode Fuzzy Hash: e6d02611bf700dc5259ab5be9d1dee7d1cd20074aa457e0abfdaf2fdfbb6fa94
Instruction Fuzzy Hash: FD02AC33608B81AAEB10CB60E4886EF7BF1F76A788F500116DE8E57A59DF38C556C740

Function 00000218158AAF00 Relevance: 11.7, Strings: 9, Instructions: 489COMMON

Download Yara Rule

Strings

Heap block at %p has corrupted PreviousSize (%lx), xrefs: 00000218158AB45D
HEAP: , xrefs: 00000218158AB3F3, 00000218158AB44C, 00000218158AB4BE, 00000218158AB542, 00000218158AB591, 00000218158AB618, 00000218158AB678
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 00000218158AB628
Heap block at %p is not last block in segment (%p), xrefs: 00000218158AB4CE
Free Heap block %p modified at %p after it was freed, xrefs: 00000218158AB406
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 00000218158AB5A2
HEAP[%wZ]: , xrefs: 00000218158AB3E1, 00000218158AB43A, 00000218158AB4AC, 00000218158AB530, 00000218158AB57F, 00000218158AB606, 00000218158AB666
Heap block at %p has incorrect segment offset (%x), xrefs: 00000218158AB553
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 00000218158AB688

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 312c84b731c6e7f0d4f73296451f14b52782add091b6bf8e27702144841eef8a
Instruction ID: eb954dfa7c9711987e1b53274180c6b25edac5198cffed5f15071bb617d998fc
Opcode Fuzzy Hash: 312c84b731c6e7f0d4f73296451f14b52782add091b6bf8e27702144841eef8a
Instruction Fuzzy Hash: BC22BC33204680A6EB249F25D4D83EB77E1F766B85F488416DE8E4B796DF38C892C710

Function 0000021815847FF4 Relevance: 11.1, APIs: 3, Strings: 3, Instructions: 571COMMON

Download Yara Rule

APIs

write_multi_char.LIBCMT ref: 00000218158484F2
write_multi_char.LIBCMT ref: 0000021815848528
write_multi_char.LIBCMT ref: 00000218158485DC

Strings

(null), xrefs: 0000021815848257, 000002181584825E
, xrefs: 00000218158484C0
(null), xrefs: 0000021815848201, 0000021815848329

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID: write_multi_char
String ID: $(null)$(null)
API String ID: 1522792728-3688460643
Opcode ID: 46f8325c63182233cd94aba375f3b08c15c0c9df301ad408c94172595348a6a1
Instruction ID: 366490981fb0c9214d81dddd5ac70a0502655c8e93f1e03478bd9d403dddffa7
Opcode Fuzzy Hash: 46f8325c63182233cd94aba375f3b08c15c0c9df301ad408c94172595348a6a1
Instruction Fuzzy Hash: 8C32BF33638290AAFB658B29D49C7EB6AE1A3B6744F154115EE4E13BD5DB78C843CF00

Function 00000218158AA764 Relevance: 10.4, Strings: 8, Instructions: 362COMMON

Download Yara Rule

Strings

Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 00000218158AAB55
HEAP: , xrefs: 00000218158AA95A, 00000218158AA9AC, 00000218158AAB46, 00000218158AABA4, 00000218158AAC9F, 00000218158AAD06
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 00000218158AACAF
dedicated (%04Ix) free list element %p is marked busy, xrefs: 00000218158AA9BC
Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 00000218158AABB7
HEAP[%wZ]: , xrefs: 00000218158AA948, 00000218158AA99A, 00000218158AAB34, 00000218158AAB92, 00000218158AAC8D, 00000218158AACF4
Non-Dedicated free list element %p is out of order, xrefs: 00000218158AA969
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 00000218158AAD1E

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: 1784c3dcfeff741ecb3cdecb4d8a92246f06b0910236960104e71aef30d624b8
Instruction ID: 94df281c5f2e10519b4dd1ee26b40c53e0d747c1d40528a20bd2e588d3233785
Opcode Fuzzy Hash: 1784c3dcfeff741ecb3cdecb4d8a92246f06b0910236960104e71aef30d624b8
Instruction Fuzzy Hash: 8B026973200A80A6EB54CF25D5C83EAB7E2F766B98F448412DE9D47A99DF74C5A3C300

Function 00000218158A9B20 Relevance: 10.3, Strings: 8, Instructions: 294COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 00000218158A9C83, 00000218158A9D7D, 00000218158A9EDC, 00000218158A9F70, 00000218158A9FDA
Just reallocated block at %p to %Ix bytes, xrefs: 00000218158A9EF2
About to reallocate block at %p to %Ix bytes, xrefs: 00000218158A9C99
RtlReAllocateHeap, xrefs: 00000218158A9B85, 00000218158A9C31
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 00000218158A9D9F
HEAP[%wZ]: , xrefs: 00000218158A9C75, 00000218158A9D6F, 00000218158A9EC9, 00000218158A9F62, 00000218158A9FCC
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 00000218158A9F97
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 00000218158A9FF0

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 9d4b88e273e7c52128efdeae803a0fae9a3b5188c08abf6b34ea9f7f436da4d2
Instruction ID: 6b73f7ac3dee0f91607a3e2cf9f8882b417384425629a14ddcc59425e1ffce43
Opcode Fuzzy Hash: 9d4b88e273e7c52128efdeae803a0fae9a3b5188c08abf6b34ea9f7f436da4d2
Instruction Fuzzy Hash: 39D15A77208690A1EB55DB25E4C83EB67E1FBA6B80F458015DE8E477A6DF78C887C340

Function 0000021815843180 Relevance: 9.4, APIs: 3, Strings: 2, Instructions: 617COMMON

Download Yara Rule

APIs

write_multi_char.LIBCMT ref: 0000021815843727
write_multi_char.LIBCMT ref: 000002181584375D
write_multi_char.LIBCMT ref: 0000021815843809

Strings

(null), xrefs: 000002181584350E
(null), xrefs: 000002181584338E, 00000218158434D2

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID: write_multi_char
String ID: (null)$(null)
API String ID: 1522792728-1601437019
Opcode ID: 46f63f85f55da20a58a920000d935df5769a32e06c2ac5bbfc90fe1f31d65b22
Instruction ID: 919b118645398e069cefe4523151296b044861f9ce1c614d31c45fd99196317f
Opcode Fuzzy Hash: 46f63f85f55da20a58a920000d935df5769a32e06c2ac5bbfc90fe1f31d65b22
Instruction Fuzzy Hash: CD32C133614690A6FB658F15E4C87EFAAE1F7A2784F544015EE4E47BD8DE78C982CB00

Function 00000218157D9280 Relevance: 9.3, Strings: 7, Instructions: 565COMMON

Download Yara Rule

Strings

33333333, xrefs: 00000218157D9413
33333333, xrefs: 00000218157D996B
UUUUUUUU, xrefs: 00000218157D9799
33333333, xrefs: 00000218157D97A3
UUUUUUUU, xrefs: 00000218157D9980
33333333, xrefs: 00000218157D963D
UUUUUUUU, xrefs: 00000218157D9630

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: 33333333$33333333$33333333$33333333$UUUUUUUU$UUUUUUUU$UUUUUUUU
API String ID: 0-4134382927
Opcode ID: 9b942fd853efeeddec4b2c9d06931dfcb309ad4853dcf7c53bd11b7d76d822b1
Instruction ID: 6dce83f647ca075626ae9cd5c98509b8d72a2ed73c57a2d2be7d69ff646dfa47
Opcode Fuzzy Hash: 9b942fd853efeeddec4b2c9d06931dfcb309ad4853dcf7c53bd11b7d76d822b1
Instruction Fuzzy Hash: C62225737246945BEB648F26A4897EA72D2F7967A0F449425DE9E83B88DF3CC406C700

Function 0000021815822ADC Relevance: 9.0, Strings: 7, Instructions: 271COMMON

Download Yara Rule

Strings

SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p, xrefs: 0000021815871987
RtlpProbeAssemblyStorageRootForAssembly, xrefs: 00000218158719A4
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 000002181587191F
!, xrefs: 0000021815822C7E
SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING., xrefs: 0000021815871859
SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed., xrefs: 000002181587188D
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 00000218158718C4

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: !$RtlpProbeAssemblyStorageRootForAssembly$SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p$SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.$SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING.$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx
API String ID: 0-529398606
Opcode ID: e258e43ece415bda32cafe0998fabf99b76c0b09502ffecafc8f9239ee1b3eb9
Instruction ID: cd284f4867844c3041688162efca5b53a6704802426e2e75522dc7c98cd46df7
Opcode Fuzzy Hash: e258e43ece415bda32cafe0998fabf99b76c0b09502ffecafc8f9239ee1b3eb9
Instruction Fuzzy Hash: 3CC1BC33600B40A6FB10DF65E4883EE6BE1F7A6B88F584025AE8E57B95DF38C552C740

Function 00000218157CE2D8 Relevance: 8.2, Strings: 6, Instructions: 663COMMON

Download Yara Rule

Strings

(LONG)FreeEntry->Size > 1, xrefs: 000002181585F5FD
((LONG)FreeEntry->Size > 1), xrefs: 000002181585F3FF
HEAP: , xrefs: 000002181585F28A, 000002181585F302, 000002181585F3F3, 000002181585F5F1, 000002181585F72D
(UCRBlock != NULL), xrefs: 000002181585F296
HEAP[%wZ]: , xrefs: 000002181585F278, 000002181585F2E8, 000002181585F3E1, 000002181585F5DF, 000002181585F71B
(!TrailingUCR), xrefs: 000002181585F30E, 000002181585F739

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 64ed58a3d7130cb7ea3cfe17b9696d4ebd853e28a3698ced5c972903f8e0b8ff
Instruction ID: 80e57b17f40598126d60db08d7ccd49166edb4f7f13f22e7eff88ede9582a079
Opcode Fuzzy Hash: 64ed58a3d7130cb7ea3cfe17b9696d4ebd853e28a3698ced5c972903f8e0b8ff
Instruction Fuzzy Hash: 3B62CD73614B85AAFB11CB65D4993EE27E5F76AB88F044822CE5E07B99DF38C552C300

Function 00000218157E18A0 Relevance: 8.0, Strings: 6, Instructions: 537COMMON

Download Yara Rule

Strings

Procedure "%s" could not be located in DLL at base 0x%p., xrefs: 00000218157E1D78
Loading procedure 0x%lx by ordinal, xrefs: 00000218157E1DD4
LdrpNameToOrdinal, xrefs: 00000218157E1D8A
Locating procedure "%s" by name, xrefs: 00000218157E1C6A
minkernel\ntdll\ldrsnap.c, xrefs: 00000218157E1C88, 00000218157E1D96, 00000218157E1DF2
LdrpGetProcedureAddress, xrefs: 00000218157E1C7C, 00000218157E1DE6

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: LdrpGetProcedureAddress$LdrpNameToOrdinal$Loading procedure 0x%lx by ordinal$Locating procedure "%s" by name$Procedure "%s" could not be located in DLL at base 0x%p.$minkernel\ntdll\ldrsnap.c
API String ID: 0-1899888655
Opcode ID: 956392858e48450fe9497d875b67d5c8d21206476c706ceb98442f7fec1832d4
Instruction ID: c0c11122b92ea26c3bc86efb44f19b68e882bd90cdc187009c4cac3210474fe6
Opcode Fuzzy Hash: 956392858e48450fe9497d875b67d5c8d21206476c706ceb98442f7fec1832d4
Instruction Fuzzy Hash: 6C329E73209BC096E660CB15F48ABDAB7E5F7AAB84F404516DE8D53B98DF38C542CB40

Function 00000218157CC2B4 Relevance: 7.9, Strings: 6, Instructions: 444COMMON

Download Yara Rule

Strings

[%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 000002181585E38B
!(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 000002181585E3B6
minkernel\ntdll\sxsisol.cpp, xrefs: 000002181585E3C3, 000002181585E548
sxsisol_SearchActCtxForDllName, xrefs: 000002181585E37B
Internal error check failed, xrefs: 000002181585E3CA, 000002181585E54F
Status != STATUS_NOT_FOUND, xrefs: 000002181585E53B

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
API String ID: 0-4188369865
Opcode ID: b1f0ad58b0586960047d9a50791e5c70df975ebdb656d446f6027201126353cd
Instruction ID: 03a7a681dd980c17b71ef7f2999d24872de8c70e44a3b10b43b0b4f32469197e
Opcode Fuzzy Hash: b1f0ad58b0586960047d9a50791e5c70df975ebdb656d446f6027201126353cd
Instruction Fuzzy Hash: 5F12D137210A51AAEB248F11E5993EE73E4F76A788F408416EF5E47B94EF38C562C340

Function 00000218157BA8B0 Relevance: 5.9, Strings: 4, Instructions: 891COMMON

Download Yara Rule

Strings

!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 0000021815859B7C
@, xrefs: 0000021815859C0C
HEAP: , xrefs: 0000021815859B70
HEAP[%wZ]: , xrefs: 0000021815859B62

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 0-3570731704
Opcode ID: ef1bedaf1ad34eb6e1a014d18ec5e10880d3dd459614d08ba7cd3535a3768aab
Instruction ID: 08304051b9241a28c535234dc084f00ecb580783ed65cdd4983d3988d3e6a4e1
Opcode Fuzzy Hash: ef1bedaf1ad34eb6e1a014d18ec5e10880d3dd459614d08ba7cd3535a3768aab
Instruction Fuzzy Hash: CB92B033218B8492FB608B15E4893EA77E4F7A6B94F144525EE9E47B99DF39C442C700

Function 00000218157D19E4 Relevance: 5.8, Strings: 4, Instructions: 843COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 00000218157D23D4
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 00000218157D23F8
HEAP[%wZ]: , xrefs: 00000218157D23C6
0, xrefs: 00000218157D1F61

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: 0$HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-3502968249
Opcode ID: a4510caa0c89401b76f5de31c57352d9c8cf5b76937f4ed49cccbffabda7d732
Instruction ID: 8b39122c0d6ae45aee72190789f6076def54aab7fc537cd870524ebde8d66e2e
Opcode Fuzzy Hash: a4510caa0c89401b76f5de31c57352d9c8cf5b76937f4ed49cccbffabda7d732
Instruction Fuzzy Hash: 7892B0732087C095EB618B25E0993EEBBE1F796B94F488416DB9D47B99DF38C442CB00

Function 00000218157D8543 Relevance: 5.7, Strings: 4, Instructions: 668COMMON

Download Yara Rule

Strings

UUUUUUUU, xrefs: 00000218157D8904
UUUUUUUU, xrefs: 00000218157D8AD2
33333333, xrefs: 00000218157D8871
33333333, xrefs: 00000218157D8ABF

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: 33333333$33333333$UUUUUUUU$UUUUUUUU
API String ID: 0-1344069251
Opcode ID: 2c947907119da1d42dac1de2725320c0e93e192574851af1bba2e1b359ac35fe
Instruction ID: eedf4bc766b060d0fad4477a6130d88cef4c02386fba36a0fc095ffc7928d954
Opcode Fuzzy Hash: 2c947907119da1d42dac1de2725320c0e93e192574851af1bba2e1b359ac35fe
Instruction Fuzzy Hash: CE42837332066496FB248F6A9499BEA23E1F72A7E4F055825DE5E57BC9DE3CC402C300

Function 00000218157CF630 Relevance: 5.4, Strings: 4, Instructions: 357COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 00000218157CF7D7
HEAP: , xrefs: 00000218157CF79E
HEAP[%wZ]: , xrefs: 00000218157CF7B9
?, xrefs: 000002181585FE28

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: ?$HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3505926276
Opcode ID: 57cc9a81001e4e4ed9c646aa42d00af107b4c94d0e5fe88ad0e918f5d9ead0fd
Instruction ID: 01f4d14114fca1f007d63648ad3f0add96f94754d70d812183cb3427e5845b2f
Opcode Fuzzy Hash: 57cc9a81001e4e4ed9c646aa42d00af107b4c94d0e5fe88ad0e918f5d9ead0fd
Instruction Fuzzy Hash: 87E1EF732047C1A6EB248F2591A93FA67E1F726B98F048516DFAE0B785DF38C092D710

Function 00000218157CCA18 Relevance: 5.3, Strings: 4, Instructions: 259COMMON

Download Yara Rule

Strings

RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 000002181585E75C
SsHd, xrefs: 00000218157CCA50
SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 000002181585E78C
SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 000002181585E6F2

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
API String ID: 0-2905229100
Opcode ID: 86f5ab345584fe1295c7d874a37ef7d52c5d9079da38fe2bc6587396bd451b66
Instruction ID: fc32ed9c1974402c4f3f3e641b54e3d034ba89b49fa2dbf59a07d5d59b003322
Opcode Fuzzy Hash: 86f5ab345584fe1295c7d874a37ef7d52c5d9079da38fe2bc6587396bd451b66
Instruction Fuzzy Hash: D8B18933B00601AAEB64CFA5D5A87ED73F5F729788F0448269E1E57B98EB34D856C700

Function 00000218157CE940 Relevance: 5.3, Strings: 4, Instructions: 257COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 000002181585F7AE, 000002181585F897
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 000002181585F7BA
HEAP[%wZ]: , xrefs: 000002181585F79C, 000002181585F87D
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 000002181585F8A3

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 72280a51bfa5c30c95c8b3741b7a1b1782cb1b871b5b8330eacba0194786212c
Instruction ID: ef7f6398b8d301c5afcadd67666ed2816e3b9012015c6f6e797a8d315b59f45b
Opcode Fuzzy Hash: 72280a51bfa5c30c95c8b3741b7a1b1782cb1b871b5b8330eacba0194786212c
Instruction Fuzzy Hash: 91B1F573204681A9EB218F24E4997FE77E0F766B94F088825DE8E47B95DF38C486C300

Function 0000021815803A5C Relevance: 5.2, Strings: 4, Instructions: 216COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 000002181586AB58
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 000002181586ABA4
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 000002181586AB0C
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 000002181586ABF0

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 185bdc8d650c613d0b23549c6ca3cf8ca1f7cbc634b0280679e4feb69342ce5c
Instruction ID: 9ef9f073ce87bc1276eca53b1e0467ca4d79c2bdac7d1ac6246fe0e0b83a90d7
Opcode Fuzzy Hash: 185bdc8d650c613d0b23549c6ca3cf8ca1f7cbc634b0280679e4feb69342ce5c
Instruction Fuzzy Hash: 9EB14733205A84A5EB10DF21E4983EB77E5F7AAB98F504116EE4D07B99DF38C942CB40

Function 00000218157D5C00 Relevance: 5.1, Strings: 3, Instructions: 1378COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 00000218157D6245, 00000218157D6435, 00000218157D656C
HEAP: , xrefs: 00000218157D622F, 00000218157D641F, 00000218157D6556
HEAP[%wZ]: , xrefs: 00000218157D6221, 00000218157D6411, 00000218157D6548

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: ea042823149d72ecbc3365dfe96c2e6ee8592eae8c9c2ef2ccd863b8faff5858
Instruction ID: 1de2f0212fddfd479ccd4e4359af3a7a3137590407d3dde295485c01d6de2a2e
Opcode Fuzzy Hash: ea042823149d72ecbc3365dfe96c2e6ee8592eae8c9c2ef2ccd863b8faff5858
Instruction Fuzzy Hash: 95D2AE732046D096EB64CF25E4893EA77E1F7A6B84F148526DE8E4BB99DF38C446C700

Function 00000218157CEEB4 Relevance: 4.3, Strings: 3, Instructions: 505COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 00000218157CF0FF, 00000218157CF2A3, 000002181585FA62, 000002181585FC42
HEAP: , xrefs: 00000218157CF0B0, 00000218157CF257, 000002181585FA4C, 000002181585FC2F
HEAP[%wZ]: , xrefs: 00000218157CF0E1, 00000218157CF284, 000002181585FA36, 000002181585FC19

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 3052b1e6192f4062ffbec7adcbb08dbd6b2aa93ac983fb3920cac3d966f131da
Instruction ID: 423dc231ef813debc7257655f34bee8b3fc2f33c830443e0ba78855bbeebe15f
Opcode Fuzzy Hash: 3052b1e6192f4062ffbec7adcbb08dbd6b2aa93ac983fb3920cac3d966f131da
Instruction Fuzzy Hash: 7D22DFB3214680A6EB249B21E4997EE73E1F726BC8F148412DEAE47B95DF38D453C700

Function 00000218157CA9E0 Relevance: 4.1, Strings: 3, Instructions: 357COMMON

Download Yara Rule

Strings

minkernel\ntdll\sxsisol.cpp, xrefs: 000002181585E1C2
Status != STATUS_SXS_SECTION_NOT_FOUND, xrefs: 000002181585E1B5
Internal error check failed, xrefs: 000002181585E1C9

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
API String ID: 0-2294630160
Opcode ID: ac66a9e6e201a35b87751616f2623dc004fc1a9e9ec96a26682f5b6564e03560
Instruction ID: 1ae4cb72ecb788c382dfd23ff904d6f040f4dbf3bd7351e9211375fa2d33943b
Opcode Fuzzy Hash: ac66a9e6e201a35b87751616f2623dc004fc1a9e9ec96a26682f5b6564e03560
Instruction Fuzzy Hash: A1F1D233604B92AAFB209F65D4EA3EE63E1F766749F004415EE4D57A98EFB4C582C300

Function 0000021815821FD4 Relevance: 4.0, Strings: 3, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 0000021815871497
SXS: %s() passed the empty activation context, xrefs: 00000218158713BF
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 00000218158713B8, 000002181587148B

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-708081576
Opcode ID: a08af969f096d9b213d83f9848b1f0d91620eadbe4d58c89953167607e4f0268
Instruction ID: 620250c72297510eff2230edeeb20c486a944cec450a11736387a83957d1fecd
Opcode Fuzzy Hash: a08af969f096d9b213d83f9848b1f0d91620eadbe4d58c89953167607e4f0268
Instruction Fuzzy Hash: 70A1CE33200B84A2EA64DF16E4887EB67E1F76AB94F544126DF5E47BA5EF34C582C300

Function 00000218158A6BD8 Relevance: 3.9, Strings: 3, Instructions: 157COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 00000218158A6DB8
HEAP[%wZ]: , xrefs: 00000218158A6DA6
Heap block at %p modified at %p past requested size of %Ix, xrefs: 00000218158A6DCE

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: 8ddc8d36a4a97a380e9b64c1c3194329ce651c2e3e02657f524cd4afaa34f48e
Instruction ID: 6936a95e8aed01cdb9368541896b3e06f1e32f1e4a9a78e76a277296b3b1b877
Opcode Fuzzy Hash: 8ddc8d36a4a97a380e9b64c1c3194329ce651c2e3e02657f524cd4afaa34f48e
Instruction Fuzzy Hash: B961A473A0069491FB608F2AD4983BB77E0E3A6BD8F584426DE8E47698DE39C443D710

Function 0000021815849A1C Relevance: 3.1, Strings: 2, Instructions: 626COMMON

Download Yara Rule

Strings

(null), xrefs: 0000021815849D7C
(null), xrefs: 0000021815849C36, 0000021815849D40

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: (null)$(null)
API String ID: 0-1601437019
Opcode ID: ee9e82a73f0f7b41ccb7263d1f7d75d7e5d2c93bf12a050fd6c22aee8384ce96
Instruction ID: 570072afe2834243d36d98103444ae28b47d11b95a685128752b0b1a610ad615
Opcode Fuzzy Hash: ee9e82a73f0f7b41ccb7263d1f7d75d7e5d2c93bf12a050fd6c22aee8384ce96
Instruction Fuzzy Hash: 9232B073618250A6FB798B15D08C3FBAAE2F7A2740F545115EE4E5BBD8DFB9C8428700

Function 00000218157C7450 Relevance: 2.7, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

H, xrefs: 00000218157C7554
H, xrefs: 00000218157C75D9

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: H$H
API String ID: 0-136785262
Opcode ID: d272bc255ade208adededd331a6a0a5148af9abdc4fee86b805ca2a3195012c0
Instruction ID: fe3a9534f3e5066112a74b616827859e04bc014ad0f741e553a4d9f4ad54f424
Opcode Fuzzy Hash: d272bc255ade208adededd331a6a0a5148af9abdc4fee86b805ca2a3195012c0
Instruction Fuzzy Hash: AD710333214681A1EB60DF21E8DA7DAA3E1F7AA784F448919DE8D07695CF38C586C700

Function 0000021815826EF0 Relevance: 2.6, Strings: 2, Instructions: 126COMMON

Download Yara Rule

Strings

UUUUUUUU, xrefs: 0000021815873E56
33333333, xrefs: 0000021815873E3D

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: 33333333$UUUUUUUU
API String ID: 0-3483174168
Opcode ID: c8c3b3d1593fe70de0f05c3ffb741402f31477899ecd31a533e98d303d2d3fa5
Instruction ID: f408fd8973d6a5e8c68cdb31fa7a436bc00a99451e460d85114742bce02658fb
Opcode Fuzzy Hash: c8c3b3d1593fe70de0f05c3ffb741402f31477899ecd31a533e98d303d2d3fa5
Instruction Fuzzy Hash: 10417BB373866457DB24CB279494BAA6AD1E3A5BA4F49D220ED8D83F84DD3CD4068700

Function 00000218158BFAD4 Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

33333333, xrefs: 00000218158BFB41
UUUUUUUU, xrefs: 00000218158BFB34

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: 33333333$UUUUUUUU
API String ID: 0-3483174168
Opcode ID: 3fce759d42d1bbfa3c525a7b83f861d36590e78a4759a5f7dbcc5420df6488a0
Instruction ID: f3b5d3133d26cc52ea16287818fbb6e205092c25e939f6a021ee7c553195da96
Opcode Fuzzy Hash: 3fce759d42d1bbfa3c525a7b83f861d36590e78a4759a5f7dbcc5420df6488a0
Instruction Fuzzy Hash: D741E233325B988ADB509F26A89539A77E0F355BD0F049426EE8E83B15CF3CD492C701

Function 0000021815814D58 Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

UUUUUUUU, xrefs: 0000021815814D85
33333333, xrefs: 0000021815814D98

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: 33333333$UUUUUUUU
API String ID: 0-3483174168
Opcode ID: d11d7f948b36b7ae82c7e0395378873c8bcf69784e746ea697273f7c05b1c62d
Instruction ID: 124ea201e3bda71a239687733abf4aff46ce78fd2bbab76e30dc8fbea4f43485
Opcode Fuzzy Hash: d11d7f948b36b7ae82c7e0395378873c8bcf69784e746ea697273f7c05b1c62d
Instruction Fuzzy Hash: 90313CB332564455EE59CB2991D8FAAA2D1AB3ABF4F58D021DE4E07B58DF2CC5428340

Function 00000218157DC316 Relevance: 1.8, Strings: 1, Instructions: 523COMMON

Download Yara Rule

Strings

UUUUUUUU, xrefs: 00000218157DC485

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: UUUUUUUU
API String ID: 0-4023394949
Opcode ID: 990d8a9f531230100281c4ddfeb6629b4515e5a295582a795020ef27493a1566
Instruction ID: ef723bcf52b68510ff25c55727fc24a0af5fb80ba5b484887f5592a392002914
Opcode Fuzzy Hash: 990d8a9f531230100281c4ddfeb6629b4515e5a295582a795020ef27493a1566
Instruction Fuzzy Hash: FA2211733146A0A6E7208F15D48A7F97BE5F36AB90F444916EA9E43BC8DF39C452C740

Function 00000218157DC765 Relevance: 1.6, Strings: 1, Instructions: 364COMMON

Download Yara Rule

Strings

UUUUUUUU, xrefs: 00000218157DC854

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: UUUUUUUU
API String ID: 0-4023394949
Opcode ID: 0729af824d6006994efa828cf175804bf73c8a13d1490fb551bc13b712fce42a
Instruction ID: 07b5084538ed3fa826b7adcef9a6da67ceb65564bc0df07483b56eb5ca441e6c
Opcode Fuzzy Hash: 0729af824d6006994efa828cf175804bf73c8a13d1490fb551bc13b712fce42a
Instruction Fuzzy Hash: 8BE1E27332469097E7248F15E48A7BA77E5F3AA780F504515EA8E47B88EF3DC856CB00

Function 00000218157BB780 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

H, xrefs: 00000218157BB94B

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 01aee726a08d6f6682f4e7016d4fff8514c7f31b4f751bfa34ca552355cf2792
Instruction ID: 704cdaed065d1e3102211ccb527aa137e652ad0851157b7f772a39b851eb82da
Opcode Fuzzy Hash: 01aee726a08d6f6682f4e7016d4fff8514c7f31b4f751bfa34ca552355cf2792
Instruction Fuzzy Hash: 0BB17C73618B8096E720CB25E4893AAB7F5F79A790F244625EF9D437A9DF39C442C700

Function 00000218157B8FE4 Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

ort, xrefs: 00000218157B912E

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: ort
API String ID: 0-4138466142
Opcode ID: f11f2f15420b60d7886dc977569a352b8102e716e586da86d857358410745191
Instruction ID: 8926b8bc39c5f9b99ac75d51479647014de897082354c4c13c08d1e13dca3b39
Opcode Fuzzy Hash: f11f2f15420b60d7886dc977569a352b8102e716e586da86d857358410745191
Instruction Fuzzy Hash: DEC13733610B94AAE710CF65E8883DA77E5F75A7A8F104616EE8D47BA8DF38C446C740

Function 0000021815885930 Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

\microsoft.system.package.metadata\Application, xrefs: 0000021815885BCF

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: \microsoft.system.package.metadata\Application
API String ID: 0-1898356463
Opcode ID: 6a4221407664fb576bec49f6de6e748125e8164fa1337aaffd323556d77740f5
Instruction ID: d44c9400e0340c72265d124b1a84f5e2f0d48a7796fff3c82e846c382a2075fb
Opcode Fuzzy Hash: 6a4221407664fb576bec49f6de6e748125e8164fa1337aaffd323556d77740f5
Instruction Fuzzy Hash: 4CA1BF37211B84A6EA218F15E4C83AE73E1F766B90F549215DE5E537E8EF38C852C710

Function 00000218157C6EE4 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

EXT-, xrefs: 00000218157C6F89

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 0489696efa543c17ad91c52756843ee31ce9f9b210237769841d28dfa021a087
Instruction ID: 248a64f67095908e44983969e4621dbaf878726ece6683716a1357c2c19400fd
Opcode Fuzzy Hash: 0489696efa543c17ad91c52756843ee31ce9f9b210237769841d28dfa021a087
Instruction Fuzzy Hash: 4251C333310652A9FB10DF75D8EA6EE67E1BB26798F401825AE0E6B695DE30C586C340

Function 00000218157DB650 Relevance: 1.0, Instructions: 982COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c04c87fa6def31d690ac35ad350aff916ed491aefff6c16c30fc5992120c70
Instruction ID: 5965c248db3ea216cc4a6bb453dfba199f7ad244dc1dc059bfd1bf4dcedb9be7
Opcode Fuzzy Hash: 59c04c87fa6def31d690ac35ad350aff916ed491aefff6c16c30fc5992120c70
Instruction Fuzzy Hash: 2092CF7321069496FBA58B26D4997FA33E0F76AB84F14852ADE5E473C9DF38C442CB40

Function 00000218157D5710 Relevance: .9, Instructions: 934COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ac2aacbbecf181313f01092c982660c6c2a0d76dde22ae74fab07374b4c1a4
Instruction ID: 49e8c40e6d905f47ef0c77255f964cee7bc106d2f75e4e91e33b47f56a8d8df6
Opcode Fuzzy Hash: e8ac2aacbbecf181313f01092c982660c6c2a0d76dde22ae74fab07374b4c1a4
Instruction Fuzzy Hash: 15820E73210694A6EB60CB26E4D97EA77E1F766BD8F10851ADE8E477D8DE38C442C700

Function 00000218157F05F8 Relevance: .9, Instructions: 896COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4a36c3d811466c9d2dd470949ecbecefef1946b2d195084077707652d2be92
Instruction ID: cce920a2d7b94779c5e54b0df98759e7dc916cc3783a1bf23e784433c4e99415
Opcode Fuzzy Hash: aa4a36c3d811466c9d2dd470949ecbecefef1946b2d195084077707652d2be92
Instruction Fuzzy Hash: 2B52C277B302104BA758CB3DE896B9E33E2F388348744952DEA17D3B45EA3DD8558B81

Function 00000218157DAA20 Relevance: .8, Instructions: 826COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7042efde16eb5180cccf2e547176a8ff4bdb1c2a5bc8516ade5897d093ecd753
Instruction ID: aa1cb6e9246f6603df7191e298f13eca184a8a80b73684ba1af1ff025af318fe
Opcode Fuzzy Hash: 7042efde16eb5180cccf2e547176a8ff4bdb1c2a5bc8516ade5897d093ecd753
Instruction Fuzzy Hash: CA72007370068096FB248B66D49A3FE63E2F766B98F444915DE5E17BD9DE38C442C700

Function 00000218157DA104 Relevance: .7, Instructions: 667COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38172376942acdb1bc2277c29224b364941815f79d79c3802b143d8e96fc91a2
Instruction ID: dc8dfe219b9502f2be264489111cd26db368c2f21bc659a9a2fc63d59e2ec947
Opcode Fuzzy Hash: 38172376942acdb1bc2277c29224b364941815f79d79c3802b143d8e96fc91a2
Instruction Fuzzy Hash: E732F773316740A1FEAA9F25929E7F926D1B7337E4E144E158D6E077C8DFB988439200

Function 00000218157C1840 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5c8d2ccb9a39a61b4da5aa2cd8db96b2adad494d6ce3e9efc14f691e5466fb
Instruction ID: 9fec6344b0aac31dae962056a179f13cff96b1d155113a29fca93d5663f89741
Opcode Fuzzy Hash: ac5c8d2ccb9a39a61b4da5aa2cd8db96b2adad494d6ce3e9efc14f691e5466fb
Instruction Fuzzy Hash: 1452CD73211B90A5EA65CB15D8883EA23E0F726BA8F548329DE6E4B7D4DF38C447C740

Function 00000218157D3990 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c410f08bd2f0d9e78ac14dc9cabd552a6f474b3d77da50edecf33f2824c65470
Instruction ID: def1b3fc3efdddc03c67b10d74905cb3d247b37397107e8103208405ee612734
Opcode Fuzzy Hash: c410f08bd2f0d9e78ac14dc9cabd552a6f474b3d77da50edecf33f2824c65470
Instruction Fuzzy Hash: 213255B371069096FB648B2AD48E7F966E2B7667A4F144A26DE7D477C9DF38C402C300

Function 00000218157C12E0 Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0a61597e90e1a6a16bea0f5fcd1316f62579c0681b38ba327145997c267d4e
Instruction ID: f01a1c8c9e1595e4ab5d300c4d2eb06e062914f674558d339257cfff4be3324a
Opcode Fuzzy Hash: db0a61597e90e1a6a16bea0f5fcd1316f62579c0681b38ba327145997c267d4e
Instruction Fuzzy Hash: AA42DD73222B90A6EA64CB15D4987EA23E4F736BA9F108225DE6F477D4DF34C842C740

Function 00000218158A507C Relevance: .6, Instructions: 594COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ab801d32610c9b4feea4a992658eb19b3b41e33825c0ba1e8624f42e37cb55
Instruction ID: 50f97b33903f2a52e31afeddd8e80920016484b46f4a7e366b5042549d81f9ef
Opcode Fuzzy Hash: 37ab801d32610c9b4feea4a992658eb19b3b41e33825c0ba1e8624f42e37cb55
Instruction Fuzzy Hash: 2A429B73204680A6EF648F2990983BFB7E0F766B80F184015DF9E4B694EF38D492D720

Function 00000218158303AC Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4fdc127006dc1745e6c3067b3ea6a5c75ba48a941c7b87eeb5f442d5910ec03
Instruction ID: 40634baf9049b6a4a283d0911103bebc8a908d0a4e1ca7d4abf23924ffe5bd16
Opcode Fuzzy Hash: d4fdc127006dc1745e6c3067b3ea6a5c75ba48a941c7b87eeb5f442d5910ec03
Instruction Fuzzy Hash: 7F22D633704684A2EB65AB2A94983FF2BD19767F84F141011DE9EC77DAEE25C943C740

Function 00000218157B3FA4 Relevance: .5, Instructions: 547COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 453577fa522ede81489b2afe023cdde7345505e8fd6775890d4371c8704ca4f9
Instruction ID: 8d5843e1f05a86a88a8a9cbc51c2169b07b5ed9612b1359b72f2e19f4f1db604
Opcode Fuzzy Hash: 453577fa522ede81489b2afe023cdde7345505e8fd6775890d4371c8704ca4f9
Instruction Fuzzy Hash: 05321F33320644A6EB658B2685993FA73E2F726B84F54452ACF4E47781EF38C853CB40

Function 00000218157D4FE0 Relevance: .5, Instructions: 537COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161e6623fae8936e1c50a3f9b0ed521dde515daaa5dfc567957d17acee8ebd51
Instruction ID: b3937ddf36690c2e3295fcc8dc9e11abc48a29c315fe8dafcf7eadd3c6dda288
Opcode Fuzzy Hash: 161e6623fae8936e1c50a3f9b0ed521dde515daaa5dfc567957d17acee8ebd51
Instruction Fuzzy Hash: 8422EE73210690A3EA758B26E4CA7F967E1F326B94F544912DE9E476C8EF39D847C300

Function 00000218157E03F4 Relevance: .5, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69649aafc6f8dcd3f5888303f7f9a404bfe79e87b58a11ee393085ee99e60e23
Instruction ID: 411b322920e7a00f14cba95548c7ba1d85195b043307d8a1e8e478c941f71d4e
Opcode Fuzzy Hash: 69649aafc6f8dcd3f5888303f7f9a404bfe79e87b58a11ee393085ee99e60e23
Instruction Fuzzy Hash: A922AE33201B80AAEB61CF25D88A7EA37E4F75A798F004915EE5D47B99DF34C692C340

Function 00000218157D71D0 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae2bc091ec84891f891b672186dd5c3c2d70c34a505b3e01fd5b3a98aa81400
Instruction ID: 19266837c66dd61e9d0a011709df5146d8862eccc1fe93009b3c860dfa7576b3
Opcode Fuzzy Hash: 9ae2bc091ec84891f891b672186dd5c3c2d70c34a505b3e01fd5b3a98aa81400
Instruction Fuzzy Hash: 551207737006D056FF248B26A4DA7FEA7D1E766BE4F444A15DE6E077DADE28C0428340

Function 00000218157B3888 Relevance: .5, Instructions: 484COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04151156e2ce9cc89e0622e9b2753a9377a83df6a92e20675cef84dc667be65
Instruction ID: 23cdf82884766ec408f60bbd1ad1d5d503830afd7fffeda242849ff13cb6524f
Opcode Fuzzy Hash: e04151156e2ce9cc89e0622e9b2753a9377a83df6a92e20675cef84dc667be65
Instruction Fuzzy Hash: 7412EEB3300684A6EB648F25D4997BA77E4F76AB84F108A1ADF4E47794DF38C492C740

Function 00000218158BBFE8 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5123aec429bb3aa92c58646897ae8df75fb16be8841982120ae429f14706cb4a
Instruction ID: 42108b6781648e9d04600e6a3167196d3a032d39f9fd844e37153a0778eeedde
Opcode Fuzzy Hash: 5123aec429bb3aa92c58646897ae8df75fb16be8841982120ae429f14706cb4a
Instruction Fuzzy Hash: 7312E17320429996EB648F25C0993BF7BE4F32AB84F448016EE9E47794DF38D992D710

Function 00000218158C9594 Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e1267589a746f2b3f8f897455804ea794c33048be8379699ae60b8e2aae8b2
Instruction ID: 76dad6fc1a391044cd03a3e955040ae5a37852a2b007739198d16597b3ed9359
Opcode Fuzzy Hash: 27e1267589a746f2b3f8f897455804ea794c33048be8379699ae60b8e2aae8b2
Instruction Fuzzy Hash: C3F159737012905ADF1C8B62A4E97F9B6E1E73A7C0F554062EE9E4B7D9DE2CE9418300

Function 00000218157DF690 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2735846751daf0837c6ed4cbac980590bb4bae86e480f9b396de99c7dccbd0f5
Instruction ID: de44bb1dfce3cafa46bd4eb8fae8e369273f59629a69f99b44c902a5ecbd7f00
Opcode Fuzzy Hash: 2735846751daf0837c6ed4cbac980590bb4bae86e480f9b396de99c7dccbd0f5
Instruction Fuzzy Hash: 0A02B233710750A6EB14CB29A4C93EA73D6A7663A4F444625DE6E9B7D4EE38D443C340

Function 00000218157C9C40 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0779d600b25a3f79572f7d8e5436b890ce2db27ffe732372ad72baaf6925e3f3
Instruction ID: b618b371b75a5fa531914ad3b81b2ae039718f7f659322eeabccd4e10ec736ec
Opcode Fuzzy Hash: 0779d600b25a3f79572f7d8e5436b890ce2db27ffe732372ad72baaf6925e3f3
Instruction Fuzzy Hash: 1902BF73615791A1EBA09B55D4A93FEB3F0F766B84F458811EE8D03694EFB8C882C300

Function 00000218157CB430 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76612ad4c5fc52bd9f0281147e084ed7bfac384149956c60dcf8a03a962f787
Instruction ID: 5c925a39f97d0fc417ecad14de83872e4087f821847982725ff8da6c89096d36
Opcode Fuzzy Hash: e76612ad4c5fc52bd9f0281147e084ed7bfac384149956c60dcf8a03a962f787
Instruction Fuzzy Hash: 2002367361865296E7748F15D0E93BEB2E1F7A6744FD44415FB8E43694EF38C882AB00

Function 000002181580AA00 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f4c87623387f72b0e3369b14bf86500db5d655994ec98184d64fda92e65129
Instruction ID: 52b19393f4245a5767e82dead074461f1a43db64a0e55f8ff63670ede3f62dc4
Opcode Fuzzy Hash: b5f4c87623387f72b0e3369b14bf86500db5d655994ec98184d64fda92e65129
Instruction Fuzzy Hash: D0E1F43360419596FB698714C0E97FFA3C2E7B3740FA48626EE5F46AC4CEA889479311

Function 00000218157D7E0A Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c652289b5b09a2b69afb913f67827cba24fa42b3c05a8ae3f7b49f2ef63d23
Instruction ID: 99eef8c26f2cbe5bf68ca5e478a9b56c937e7026373531f358ddd8433bc0b455
Opcode Fuzzy Hash: c1c652289b5b09a2b69afb913f67827cba24fa42b3c05a8ae3f7b49f2ef63d23
Instruction Fuzzy Hash: 91C10473315784A1FFA98B11A69A7BAA6D167327E0F144E258E7D03BC9DF39D8478300

Function 00000218157CAF50 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14dff3b51f20582953709b27bcf264bbc5f8ef1ba67035d9cc280cef08855dab
Instruction ID: 39065c65ef9794bcbb65b5c90702634e851c6311c692060652231dfb0c4f73af
Opcode Fuzzy Hash: 14dff3b51f20582953709b27bcf264bbc5f8ef1ba67035d9cc280cef08855dab
Instruction Fuzzy Hash: 18E18E33214B91A2EB649F16E4A93BE77E4F7A6B80F944415EE8E43794EF38C452D700

Function 00000218157DFDC0 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b95be22f7c40d3a814d56d350c1611364c8255248a6b951acc4eaf2eaad8000
Instruction ID: 948c7a1785a0ba5d1155557011f9bee3a2f7c6ea3e98fcdb977e641ac4ab2cc8
Opcode Fuzzy Hash: 3b95be22f7c40d3a814d56d350c1611364c8255248a6b951acc4eaf2eaad8000
Instruction Fuzzy Hash: 18E1EF73214780A5EB618B16E8CA7EEA7E1F7A7B84F0408119E5E47799DF38D543C700

Function 00000218157B3404 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9def58cfe281d37f3fa068f1ca99c58bdfcd6f57fe4c3a631a7e77affb43c85b
Instruction ID: 9354d00f7e63568b5299dd321d1930e9406ae12f8d53c52939975d819fa6cc59
Opcode Fuzzy Hash: 9def58cfe281d37f3fa068f1ca99c58bdfcd6f57fe4c3a631a7e77affb43c85b
Instruction Fuzzy Hash: 43C1BE73B10B4496FB25CF75D4853FD23E2E76AB88F0485259E4E56B88EE38D586C380

Function 00000218157BE348 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f42665e9332aa56c5ec04f0d3dc57a2f24045d84dc25766044c13f35038c6b
Instruction ID: 6347b8df54b514c553c4894a55bb32448002e6974f4d82e735b5eddcc9b5b95e
Opcode Fuzzy Hash: a5f42665e9332aa56c5ec04f0d3dc57a2f24045d84dc25766044c13f35038c6b
Instruction Fuzzy Hash: BDC1AF73204780AAEB158F66D4993EE67E2FB16BD8F044926EE5E47B89DF74C442C340

Function 00000218157CD390 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4f2602b188c53062f10cd93bbd88849fe4abd1ef8ae189e4933ab7465103e8
Instruction ID: 5246bbff56d4848df433c49fbccc8ef33db6131c60a9ea4605aeb351c435cd29
Opcode Fuzzy Hash: 9b4f2602b188c53062f10cd93bbd88849fe4abd1ef8ae189e4933ab7465103e8
Instruction Fuzzy Hash: 48A13A73B105A2B5FAB45B2294EE7FB22D0B732719F854422DE5E471C0EE29CD478310

Function 00000218157BDB60 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 291b54f9f89cd40658058ea0c19dc2fa9283b096f636e41a3386eb01f81be4b3
Instruction ID: 3f116b7d0a1b69cd203a21cb9af3606a84731ceb8c148af253197ebf499ddf4e
Opcode Fuzzy Hash: 291b54f9f89cd40658058ea0c19dc2fa9283b096f636e41a3386eb01f81be4b3
Instruction Fuzzy Hash: 6AA1687360429066FBB48B19949ABFA66E0F7B3784F108916CECE43BD5DE79C4438742

Function 00000218157BA090 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1640db7c3e8550ce3bc8320b03137af5ce4c5885704e317775d9be24e48dad3d
Instruction ID: 1bf47bf2ce061dfbed96fd85bfde23d174cca394e9c8bdf15cc18fb6df22062e
Opcode Fuzzy Hash: 1640db7c3e8550ce3bc8320b03137af5ce4c5885704e317775d9be24e48dad3d
Instruction Fuzzy Hash: D4B1F33321479096E764EB19E4897EE77E4F79A794F018629EE8E83790EF38C442C700

Function 0000021815803740 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bf8a4ffade549838ee0ca02d740afddee892039bee2976519e79cbbb49e27c
Instruction ID: 6864cb24a5364fd2ea1dfd7e72a8b12f53290428148d8d42adeb69104e809730
Opcode Fuzzy Hash: 39bf8a4ffade549838ee0ca02d740afddee892039bee2976519e79cbbb49e27c
Instruction Fuzzy Hash: 69C16C33305A409AEB64CB26E4993EFB3E1F75A794F1042159EAE47B96CF38D046CB40

Function 0000021815813C20 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f8078a572b1e10a2a190cb23e46e2e716565e37a9497da35ca28564ce5589a
Instruction ID: 554dc1cd94d8ba9cc26f2af2fd49584c9b7264c90ba7b1cd77f60eefd581c19d
Opcode Fuzzy Hash: e3f8078a572b1e10a2a190cb23e46e2e716565e37a9497da35ca28564ce5589a
Instruction Fuzzy Hash: C3A1AC33321A50AAEB60DB15E4D87EA63E2F7A2B94F644411CE5D47BA9DF39C853C700

Function 00000218158BEABC Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8847e9c7feb5c5655e5590f410f803a3a474b4b26e1d402fcb989d09aeed376
Instruction ID: 2f6d6b3cda6813f491ce5c3e3ca3a6798ee68d0fef700f864a37eec104a3aa33
Opcode Fuzzy Hash: f8847e9c7feb5c5655e5590f410f803a3a474b4b26e1d402fcb989d09aeed376
Instruction Fuzzy Hash: 7491CA73B10A48AEEB20CB65D4893EA27E4F765798F044625DE5E17BC9EF38C056C340

Function 00000218157DF380 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1aeedb4069a7afe67e2e8445d625eb863d5f60f61216eee603005c7703b2dd
Instruction ID: 4295bd447c7819d802e668f2f0492d416f4e068025ebd1bb6566c31bc6242636
Opcode Fuzzy Hash: 1a1aeedb4069a7afe67e2e8445d625eb863d5f60f61216eee603005c7703b2dd
Instruction Fuzzy Hash: 88811333314254A6EB248F12E4D97BD32D1F766784F504429DE2F47B98DE79C8878700

Function 00000218157CEC28 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68de7ebb747cf6765532f63f65e221da1e509873f1d9d235fc96e9dcac214c29
Instruction ID: decd3187257d84c6a12ebaa82bd7e419d5ae35a7b29229a55608e1b2fd5ddf24
Opcode Fuzzy Hash: 68de7ebb747cf6765532f63f65e221da1e509873f1d9d235fc96e9dcac214c29
Instruction Fuzzy Hash: AA8117732006A19FE765CF29D4A96EE3BE1F3AA784F554929DE4E47B84DE34C442CB00

Function 00000218157D4160 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e8cb7015ae5f2f20d8059b8aad30a0c9e92bde207af6e09715838fa247e631
Instruction ID: 8f730ef477f48c753bcbe36c0ee3b69fef01cb8c3d48dffad331a8f04d6b1caa
Opcode Fuzzy Hash: 87e8cb7015ae5f2f20d8059b8aad30a0c9e92bde207af6e09715838fa247e631
Instruction Fuzzy Hash: EA91247320429496EB60CB2AD4CA7FA37E2F3667A0F044515EE9E47BD8DF78D4529B00

Function 00000218157B2D40 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f90ebdc35c48b8485a2957f184aaa9a9db6deb2c85fd2d24ee5fc830322083a1
Instruction ID: 3e0bbc078c39813c98d97c8c7ee02aba45e063cc9244eb1874b4d6a0b8e535ac
Opcode Fuzzy Hash: f90ebdc35c48b8485a2957f184aaa9a9db6deb2c85fd2d24ee5fc830322083a1
Instruction Fuzzy Hash: AD7166B371569496EA20CB25D0897FAB7D1F369BE4F518611EE6E837C4CE38C142C700

Function 00000218158B8C28 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027735abf2eb933718682c6d5935a4d5ad41cc0b58109208e469bf2562a87887
Instruction ID: a58c419cfa8818f4a50a1f21753e5f4989641986dbaf3ee25d6ab1f980320e36
Opcode Fuzzy Hash: 027735abf2eb933718682c6d5935a4d5ad41cc0b58109208e469bf2562a87887
Instruction Fuzzy Hash: 658145737117805AEB48CB65A8D93B9B3E5E7687D0B448122EEAE877D4EE3CC442C700

Function 00000218157B4F78 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0183fae9a62aa5db8d6d7bfd38fd5f551e6f22721d6d463020c24c095fdcf7
Instruction ID: 6792831a4bffd6231b08efcad59f2fe8fc1df1c5fb27e02089211c5813719d86
Opcode Fuzzy Hash: 1e0183fae9a62aa5db8d6d7bfd38fd5f551e6f22721d6d463020c24c095fdcf7
Instruction Fuzzy Hash: 6D81BE73214B89A2EE108F25E0897EAB3E5F366BC4F514511EA4E07B98EF39C542C740

Function 000002181588F26C Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7d9f0ef12fad1ea3763805dc1e687c61913c3118d18500a695db8fccfde7a0
Instruction ID: b8aa91f226a2926389b330ba77674ee8bb8e25919e1b79227bff8fd2518e923a
Opcode Fuzzy Hash: ed7d9f0ef12fad1ea3763805dc1e687c61913c3118d18500a695db8fccfde7a0
Instruction Fuzzy Hash: 8C914A33205B81A6EA509F21E4D83DB73E5F79A794F540026EE6E87B98DF38C546CB00

Function 00000218157B5B5C Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51420a1838ed2857804101158e24e903e7aa8c180b89354c04789caea36d8851
Instruction ID: 8a7aec0bb4febea6a8aae46641e3d40538bdbc6ef71a5a062d3f2c9851c64270
Opcode Fuzzy Hash: 51420a1838ed2857804101158e24e903e7aa8c180b89354c04789caea36d8851
Instruction Fuzzy Hash: 2971143371179195EB00CB7699892ED77E1AB6ABD4F084626EE5E17B8AEF34C052C300

Function 0000021815820E28 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9cf5e66f8babf13dae02781ccd293fa21863c2052ce0b24aa10ff0e59c314d
Instruction ID: fe502ab9619ac5afb4e4189c93724fe6389cf5731074f6617db3107287b78217
Opcode Fuzzy Hash: ee9cf5e66f8babf13dae02781ccd293fa21863c2052ce0b24aa10ff0e59c314d
Instruction Fuzzy Hash: 2F7102773107D896FB608B26A4997AB36D1F3AAB84F508125DE8D87784DF38C442C741

Function 00000218158B7FE4 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89740c16b93fe0a04a5312b62a43ef749c0389d117928a281d396eebde5a54f5
Instruction ID: 49b9ae3efb8c86128ed21024b5c34ca6e7abf04bdaff28f036ccdefd3c8ebad9
Opcode Fuzzy Hash: 89740c16b93fe0a04a5312b62a43ef749c0389d117928a281d396eebde5a54f5
Instruction Fuzzy Hash: E6816073664A989EEF648B15D0987AA7BE8F366B80F548115DE8D07794CB35C892CF00

Function 00000218158BBC8C Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0158d79de2b83853ecf87e05d1cbfc204ffac227feeb5736cf73339569a45953
Instruction ID: 3e6fccd243345d5e8aa2e6fa4879d4b8c690260cb3819fbc987119151951afbd
Opcode Fuzzy Hash: 0158d79de2b83853ecf87e05d1cbfc204ffac227feeb5736cf73339569a45953
Instruction Fuzzy Hash: 6C8178736007A49BEB24CF25D4887AE3BA8F759798F10422ADF9D43B94DB39D462C740

Function 00000218157B1F60 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e994b67e052c044b85c782e5da481c7d4b38c5bb12c35f8b5e7e7f1322306983
Instruction ID: 7d6896da8178384b6960701bf59dc19db64336b13b621a2232ce4c755de94162
Opcode Fuzzy Hash: e994b67e052c044b85c782e5da481c7d4b38c5bb12c35f8b5e7e7f1322306983
Instruction Fuzzy Hash: B971B133215284A6F7159B2195DA7FE7BE1F766B84F1884159E4A0B7A5CF38C843C710

Function 00000218157DA212 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61815b1b1e2ef4ccc392bbfeddc1653db4fec3c85a47032f504d6db4b490abc5
Instruction ID: c91b7fa6f42d60c46b80350414f791ef830a8972618cccd8fcb6c9b56732d00e
Opcode Fuzzy Hash: 61815b1b1e2ef4ccc392bbfeddc1653db4fec3c85a47032f504d6db4b490abc5
Instruction Fuzzy Hash: 6551073371675462FEA59B2295AABFA26D07733BB0E184E158D7E037C4DE7D98839300

Function 00000218157D8DBF Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82bca6ec85799f189a0f82511847787995138149406770cc77bbc9d1e96a944d
Instruction ID: 561b7bfbfcbe8c59c03fab56d7242ba4d452f2b2d7c248040a46a871066ce27c
Opcode Fuzzy Hash: 82bca6ec85799f189a0f82511847787995138149406770cc77bbc9d1e96a944d
Instruction Fuzzy Hash: B151EE3331066496FB288F79D4997BEA2D1EB59B98F844426DB4D87799DF38C882C310

Function 00000218157CFEF8 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c3ec03269cf6aa142d89b28782b73b8cd8795e860e5c6e8b5ec014194e4788e
Instruction ID: d3f4a712beb8b521de998ed8aa33bf4bba9e7cd836229fce09248ff3b70ed3ba
Opcode Fuzzy Hash: 6c3ec03269cf6aa142d89b28782b73b8cd8795e860e5c6e8b5ec014194e4788e
Instruction Fuzzy Hash: 2051EF73200780A5E7659B36D4993EE63D5F76BBA8F5489219E1E47789EF34C442C380

Function 00000218157D2580 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff1238b836a76d0fd29faa9f320e23e4a16ac5b79674cca9c3634958178cc25
Instruction ID: 693cfbe80c4c51ba866148e5c9d371a99a7e143fa62587ca3cfc7bc2bde9bd3d
Opcode Fuzzy Hash: aff1238b836a76d0fd29faa9f320e23e4a16ac5b79674cca9c3634958178cc25
Instruction Fuzzy Hash: AE818C331097C0AAD7658B2190993EEBBE0F79BB94F998405DBDD4BA49DF24C453CB00

Function 00000218157D782C Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b49542e5064d916a5f82c754067426cb98b6f1f903349865ad29311dfc857aa
Instruction ID: 268ef9a6fceca9f678080c4182608235fdccad21f731e075db87a90926055ca4
Opcode Fuzzy Hash: 8b49542e5064d916a5f82c754067426cb98b6f1f903349865ad29311dfc857aa
Instruction Fuzzy Hash: 8A41F0633107985BFB108B5AA8C93EAA3D0F76ABD4F495421DE8C87759DE78C543C304

Function 00000218157D261F Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e0d081afdaecc50969faed20e3bc8e6693d941bc4f70075d206c33ff5da8f3
Instruction ID: cf7e574dd0246021fd0bf4294676a789ba03ecfe29e508021d432ebfcb42a85e
Opcode Fuzzy Hash: f6e0d081afdaecc50969faed20e3bc8e6693d941bc4f70075d206c33ff5da8f3
Instruction Fuzzy Hash: 77718E332087C0AAD765CB2191993EEBBE0F79AB94F998405DBDD47A49CF28C453CB00

Function 00000218158A6E98 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7814df2b3008c3d44f6b57440fac325037d727226c7964244ff97e76e5b603bf
Instruction ID: 3d6a53e68396f04271bd033d045bd2f3a2ea9bb994cd52e2912cd9d095dde85f
Opcode Fuzzy Hash: 7814df2b3008c3d44f6b57440fac325037d727226c7964244ff97e76e5b603bf
Instruction Fuzzy Hash: 1A512433A04290AAE715CB36C4993BF7BF0E3AA788F44440AEF8947299DF38C456D710

Function 00000218158BFD88 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9440798a9c10b441d610374697311701279c922c9580e1ba02ee943aebd3ddfe
Instruction ID: ca9d11e1dc913aa3ce385a3e8a22d3f03733bfc9146b9b35a18ec57152f7821b
Opcode Fuzzy Hash: 9440798a9c10b441d610374697311701279c922c9580e1ba02ee943aebd3ddfe
Instruction Fuzzy Hash: 8F41D33230065892E7249F22A8996BB73D9F75ABD0F449425EFAD8BBD5CF39D442C300

Function 00000218157DF230 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce3101668ec9306ac22aba203ae0a7547921127ddd80feb3136881a972c5986
Instruction ID: 9b1a0a0f3ec02e9340e0cea1a315c3ebdc56c522ef269550e98dacb2f4164bcc
Opcode Fuzzy Hash: 0ce3101668ec9306ac22aba203ae0a7547921127ddd80feb3136881a972c5986
Instruction Fuzzy Hash: 4841F73371424097EB54CB25D4CAB9E72D1E7A6B58F148624EE69477C8DF38D842C780

Function 00000218157B2980 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2358c6a5abd24fce9d0ea0a1edd7fec4e0cbb89c65c3f5ff4bd01c0387fa281
Instruction ID: 67e9658bdfe95430334c28df54cfc149af489c604c3534be1d0441deb248399d
Opcode Fuzzy Hash: d2358c6a5abd24fce9d0ea0a1edd7fec4e0cbb89c65c3f5ff4bd01c0387fa281
Instruction Fuzzy Hash: B131A0B330165492FF688B55A19A3B9A2D1F725BD4F859926EE1E177C8DE68C442C300

Function 00000218157BA448 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff34c90a79377d13eeb1d4ab746472c9711764aa4c70bb26413248f4ff96812d
Instruction ID: 03075796eef30a1b11fb4356e30022278addc2775b2df100c307e868998e1d23
Opcode Fuzzy Hash: ff34c90a79377d13eeb1d4ab746472c9711764aa4c70bb26413248f4ff96812d
Instruction Fuzzy Hash: 8831B573320360A3FB14AB29E5CE7E622D2A7B7364F540625D92E8A7D1EF6CC503C601

Function 00000218158BF9E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6326ff9ae33520a25fb9e2de76677f1c02b2f558322c6e6b81fe2e09c40e57b1
Instruction ID: 47d18df97183450f11423982d799f25320d1de29e20405a261253d57ae97eab3
Opcode Fuzzy Hash: 6326ff9ae33520a25fb9e2de76677f1c02b2f558322c6e6b81fe2e09c40e57b1
Instruction Fuzzy Hash: ED11E7A2B2429553EB448B35B466BBA73A1F7697B4F41E316EA7D837D0EA3CD040C301

Function 00000218157C404C Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5fad0afe292299a4e7a58b6604c36dc141e9089652513705d1f52d7754a846a
Instruction ID: 3a737d3ce7d95541eff421fccba024205ee8487228e2dc8f26a501f9b126cc78
Opcode Fuzzy Hash: c5fad0afe292299a4e7a58b6604c36dc141e9089652513705d1f52d7754a846a
Instruction Fuzzy Hash: CB014036320A4483EB40CB6AE99555A7766F78CBD0B556412EF4D47B1DCE38C901C780

Function 000002181584D310 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9732c155fd3d53485fb27fab9fd8f1c15631e2d73854de4b17c8ad07df4ec1e
Instruction ID: 5543256b38cc508a2e2b1f0fadcfb1b1bf0dbb820f51bca5bcc7d0441ab8fd31
Opcode Fuzzy Hash: f9732c155fd3d53485fb27fab9fd8f1c15631e2d73854de4b17c8ad07df4ec1e
Instruction Fuzzy Hash: A6B0127D60625455FF402B15A6487F015D07B75F18ED600F0DC44412E38A89848A4004

Function 000002181584D1D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3bb0cb2bbc4f102238ae8c7043047bae15fca9734dce16e40176b01c3f2a650
Instruction ID: 1ecedbde2a0dfb29a28c9be02eae870ad01477649adf74ed32b4e12412190744
Opcode Fuzzy Hash: f3bb0cb2bbc4f102238ae8c7043047bae15fca9734dce16e40176b01c3f2a650
Instruction Fuzzy Hash: 3EB0121D10625061FE507F15A2483B016D07B75F14F9A00F1AC4942AC38B8D848A8004

Function 00000218158BABD4 Relevance: 31.4, Strings: 25, Instructions: 197COMMON

Download Yara Rule

Strings

Last known valid blocks: before - %p, after - %p, xrefs: 00000218158BAEDF
Parameter1: %p, xrefs: 00000218158BADE0
Error code: %d - %s, xrefs: 00000218158BAD8B
HEAP[%wZ]: , xrefs: 00000218158BAC01
heap_failure_unknown, xrefs: 00000218158BACD4
heap_failure_multiple_entries_corruption, xrefs: 00000218158BACB3
heap_failure_virtual_block_corruption, xrefs: 00000218158BACA7
heap_failure_buffer_overrun, xrefs: 00000218158BAC9B
Stack trace available at %p, xrefs: 00000218158BAF2F
heap_failure_buffer_underrun, xrefs: 00000218158BAC8F
heap_failure_freelists_corruption, xrefs: 00000218158BAD24
heap_failure_invalid_allocation_type, xrefs: 00000218158BAD3F
Parameter2: %p, xrefs: 00000218158BAE32
heap_failure_block_not_busy, xrefs: 00000218158BACE6
Parameter3: %p, xrefs: 00000218158BAE84
heap_failure_entry_corruption, xrefs: 00000218158BACBF
heap_failure_cross_heap_operation, xrefs: 00000218158BAD2D
heap_failure_listentry_corruption, xrefs: 00000218158BAD1B
heap_failure_generic, xrefs: 00000218158BACCB
heap_failure_lfh_bitmap_mismatch, xrefs: 00000218158BAD12
HEAP: , xrefs: 00000218158BABFA
heap_failure_internal, xrefs: 00000218158BACDD
heap_failure_usage_after_free, xrefs: 00000218158BAD36
Heap error detected at %p (heap handle %p), xrefs: 00000218158BAC3C
heap_failure_invalid_argument, xrefs: 00000218158BAD48

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: d74199e69c38fe6e870a676e079d1a7fc83f4ebfde18a6da8f65b7161e985e03
Instruction ID: 3305ec1b600ca5569dbf774848fb262fbf20cdff57c810e26adfe6c1c385b0aa
Opcode Fuzzy Hash: d74199e69c38fe6e870a676e079d1a7fc83f4ebfde18a6da8f65b7161e985e03
Instruction Fuzzy Hash: CDA13837240A08B1FA599B15E9D83EB63E5F7A7B92F980002CD1E477A4DF69C647C341

Function 000002181582832C Relevance: 15.1, Strings: 12, Instructions: 125COMMON

Download Yara Rule

Strings

8, xrefs: 00000218158745DD
SXS: %s() found assembly information section with wrong magic value Expected %lu; got %lu, xrefs: 0000021815874566
SXS: %s() found assembly information section with user data too small Section header: %p UserDataSize: %lu; needed: %lu, xrefs: 00000218158745E5
SXS: %s() passed string section at %p claims %lu byte header size; that doesn't even include the HeaderSize member!, xrefs: 0000021815874554
SXS: %s() passed string section at %p with too small of a header HeaderSize: %lu Required: %lu, xrefs: 00000218158745C2
SXS: %s() passed string section at %p only %Iu bytes long; that's not even enough for the 4-byte magic and 4-byte header length!, xrefs: 0000021815874547
SXS: %s() found assembly information section with search structure overlapping section header Section header: %p Header Size: %lu SearchStructureOffset: %lu, xrefs: 0000021815874621
SXS: %s() found assembly information section with user data overlapping section header Section header: %p Header Size: %lu User Data Offset: %lu, xrefs: 00000218158745D0
SsHd, xrefs: 000002181582837B
SXS: %s() found assembly information section with user data extending beyond section data Section header: %p UserDataSize: %lu UserDataOffset: %lu Section size: %Iu, xrefs: 0000021815874589
RtlpCrackActivationContextStringSectionHeader, xrefs: 0000021815874573, 000002181587459B, 00000218158745F7
SXS: %s() found assembly information section with element list overlapping section header Section header: %p Header Size: %lu ElementListOffset: %lu, xrefs: 000002181587460C

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: 8$RtlpCrackActivationContextStringSectionHeader$SXS: %s() found assembly information section with element list overlapping section header Section header: %p Header Size: %lu ElementListOffset: %lu$SXS: %s() found assembly information section with search structure overlapping section header Section header: %p Header Size: %lu SearchStructureOffset: %lu$SXS: %s() found assembly information section with user data extending beyond section data Section header: %p UserDataSize: %lu UserDataOffset: %lu Section size: %Iu$SXS: %s() found assembly information section with user data overlapping section header Section header: %p Header Size: %lu User Data Offset: %lu$SXS: %s() found assembly information section with user data too small Section header: %p UserDataSize: %lu; needed: %lu$SXS: %s() found assembly information section with wrong magic value Expected %lu; got %lu$SXS: %s() passed string section at %p claims %lu byte header size; that doesn't even include the HeaderSize member!$SXS: %s() passed string section at %p only %Iu bytes long; that's not even enough for the 4-byte magic and 4-byte header length!$SXS: %s() passed string section at %p with too small of a header HeaderSize: %lu Required: %lu$SsHd
API String ID: 0-1021861106
Opcode ID: f8080ffd889e90f1ebfe05433bf4520886ae552e69d051b4025ef3fe2b31d659
Instruction ID: 69e17cb21845bd14e46bfc359af589346e8e5bb6c0b9cc32816213634fce0ec5
Opcode Fuzzy Hash: f8080ffd889e90f1ebfe05433bf4520886ae552e69d051b4025ef3fe2b31d659
Instruction Fuzzy Hash: CC518973214780E6EB64CF08E488ADE77E5F766B44F448126EE4D87A64EF78C956CB00

Function 00000218158A9040 Relevance: 11.4, Strings: 9, Instructions: 162COMMON

Download Yara Rule

Strings

Specified HeapBase (%p) invalid, Status = %lx, xrefs: 00000218158A91EA
Invalid CommitSize parameter - %Ix, xrefs: 00000218158A910C
HEAP: , xrefs: 00000218158A909E, 00000218158A90FD, 00000218158A915B, 00000218158A91DB, 00000218158A9238, 00000218158A929A
Specified HeapBase (%p) != to BaseAddress (%p), xrefs: 00000218158A9249
Specified HeapBase (%p) is free or not writable, xrefs: 00000218158A92AB
0, xrefs: 00000218158A918F
Invalid ReserveSize parameter - %Ix, xrefs: 00000218158A90AD
May not specify Lock parameter with HEAP_NO_SERIALIZE, xrefs: 00000218158A9167
HEAP[%wZ]: , xrefs: 00000218158A908C, 00000218158A90EB, 00000218158A9149, 00000218158A91C5, 00000218158A9226, 00000218158A9288

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: 0$HEAP: $HEAP[%wZ]: $Invalid CommitSize parameter - %Ix$Invalid ReserveSize parameter - %Ix$May not specify Lock parameter with HEAP_NO_SERIALIZE$Specified HeapBase (%p) != to BaseAddress (%p)$Specified HeapBase (%p) invalid, Status = %lx$Specified HeapBase (%p) is free or not writable
API String ID: 0-3373917919
Opcode ID: 947cfd375f7ceede543748584a3deed02da43232229cb8ea454bd94c5ba5fa5c
Instruction ID: a6ee265e0ece93ed48e7eda4534e1f1cddc027bc10f0efb1be4bf9c8e40dac62
Opcode Fuzzy Hash: 947cfd375f7ceede543748584a3deed02da43232229cb8ea454bd94c5ba5fa5c
Instruction Fuzzy Hash: DF81F67A208A44A0FB149B19E9D83EB23E1F7A2BD4F904106ED1E87BA5DF39C547C741

Function 00000218157E23F0 Relevance: 10.5, Strings: 8, Instructions: 454COMMON

Download Yara Rule

Strings

Procedure "%s" could not be located in DLL at base 0x%p., xrefs: 0000021815863C23
z, xrefs: 00000218157E2646
{, xrefs: 0000021815863B81
Import '%s' of DLL '%wZ' is redirected to 0x%p, xrefs: 0000021815863BCF
LdrpNameToOrdinal, xrefs: 0000021815863C35
LdrpSnapModule, xrefs: 0000021815863B5E, 0000021815863BE1
minkernel\ntdll\ldrsnap.c, xrefs: 0000021815863B6A, 0000021815863BED, 0000021815863C41
DLL "%wZ" does not contain an export table, xrefs: 0000021815863B4F

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: DLL "%wZ" does not contain an export table$Import '%s' of DLL '%wZ' is redirected to 0x%p$LdrpNameToOrdinal$LdrpSnapModule$Procedure "%s" could not be located in DLL at base 0x%p.$minkernel\ntdll\ldrsnap.c$z${
API String ID: 0-741447566
Opcode ID: edc2b2b38b2bcc77ad92f5d582d6108ef4a0421463b7e24690225b4cc8af9c46
Instruction ID: 8942b3eb21d2521c7ad68295ec18a92a13bb02d3028b35057a189a1afbab8b51
Opcode Fuzzy Hash: edc2b2b38b2bcc77ad92f5d582d6108ef4a0421463b7e24690225b4cc8af9c46
Instruction Fuzzy Hash: 3312C073208B80AAE764CF15E489BEA77E1F7A6B84F504515EE8D47B98DF78C542CB00

Function 00000218158370FC Relevance: 10.0, Strings: 8, Instructions: 31COMMON

Download Yara Rule

Strings

\SysWOW64\, xrefs: 0000021815837121
\SysARM32\, xrefs: 000002181587A289
System32, xrefs: 0000021815837146
SysARM32, xrefs: 000002181587A282
\System32\, xrefs: 000002181583713F
\SyCHPE32\, xrefs: 000002181587A276
SysWOW64, xrefs: 000002181583711A
SyCHPE32, xrefs: 000002181587A26F

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: SyCHPE32$SysARM32$SysWOW64$System32$\SyCHPE32\$\SysARM32\$\SysWOW64\$\System32\
API String ID: 0-2516413534
Opcode ID: da4e23e9be57c4e1591652d72f844376a461ec93d203d529a4d47cd2735131f2
Instruction ID: 05237339d94c7fc90045b2ccb03dbede326a160eb7f40f9810dd9d3fe5e9424c
Opcode Fuzzy Hash: da4e23e9be57c4e1591652d72f844376a461ec93d203d529a4d47cd2735131f2
Instruction Fuzzy Hash: 6C011D73314546B4FEA5A754E8CCFFA57E1A377744F9410069C0E865B8EEA8C78B9340

Function 00000218158903F0 Relevance: 8.9, Strings: 7, Instructions: 108COMMON

Download Yara Rule

Strings

SXS: Unable to open storage root subkey %wZ; Status = 0x%08lx, xrefs: 0000021815890484
SXS: Assembly storage root location for %wZ does not fit in a UNICODE STRING, xrefs: 0000021815890525
SXS: Unabel to query location from storage root subkey %wZ; Status = 0x%08lx, xrefs: 00000218158904D6
SXS: Assembly storage root location value has non-even size, xrefs: 0000021815890505
@, xrefs: 0000021815890466
SXS: Assembly storage root location value type is not REG_SZ, xrefs: 00000218158904E5
0, xrefs: 0000021815890459

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: 0$@$SXS: Assembly storage root location for %wZ does not fit in a UNICODE STRING$SXS: Assembly storage root location value has non-even size$SXS: Assembly storage root location value type is not REG_SZ$SXS: Unabel to query location from storage root subkey %wZ; Status = 0x%08lx$SXS: Unable to open storage root subkey %wZ; Status = 0x%08lx
API String ID: 0-1140364006
Opcode ID: b6e3ee317f567198a64da539bf2831eabf992205e716ad30bae65acc3e462dbb
Instruction ID: 413c31e697d6078286633fd0bd783dc56da7bff625cdf11e1dd398c204296aac
Opcode Fuzzy Hash: b6e3ee317f567198a64da539bf2831eabf992205e716ad30bae65acc3e462dbb
Instruction Fuzzy Hash: B5415AB3604640EAE7259B61E4983EB73E0FBAA348F504026EE4D57A95EF78C547CB40

Function 00000218157EF2F4 Relevance: 7.7, Strings: 6, Instructions: 245COMMON

Download Yara Rule

Strings

Locating export at ordinal %d for DLL "%wZ" failed with status: 0x%08lx., xrefs: 00000218158669E2
minkernel\ntdll\ldrutil.c, xrefs: 0000021815866948, 0000021815866A06
Locating export "%wZ" for DLL "%wZ" failed with status: 0x%08lx., xrefs: 000002181586694F
#%d, xrefs: 0000021815866977
LdrpReportError, xrefs: 000002181586693C, 00000218158669EE
Unknown, xrefs: 00000218157EF339

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: #%d$LdrpReportError$Locating export "%wZ" for DLL "%wZ" failed with status: 0x%08lx.$Locating export at ordinal %d for DLL "%wZ" failed with status: 0x%08lx.$Unknown$minkernel\ntdll\ldrutil.c
API String ID: 0-1905398271
Opcode ID: 00e2c80f50b1af3d3666e1618a0d9b2e654251eadecad015447a9e3e5608a550
Instruction ID: 80a09c30d731ffadbac22f8f7fbc5f7597dec32d03cc56e031dfb9be13eee3ff
Opcode Fuzzy Hash: 00e2c80f50b1af3d3666e1618a0d9b2e654251eadecad015447a9e3e5608a550
Instruction Fuzzy Hash: 78A18A33204B80A6FB209F21E4C97DA67E5F7A6398F500415EE9E47BA8DF38C646C700

Function 00000218157E21C0 Relevance: 7.7, Strings: 6, Instructions: 208COMMON

Download Yara Rule

Strings

Procedure "%s" could not be located in DLL at base 0x%p., xrefs: 0000021815863A3D
Loading procedure 0x%lx by ordinal, xrefs: 0000021815863A7D
LdrpNameToOrdinal, xrefs: 0000021815863A49
Locating procedure "%s" by name, xrefs: 00000218158639FE
minkernel\ntdll\ldrsnap.c, xrefs: 0000021815863A21, 0000021815863A60, 0000021815863A9F
LdrpGetProcedureAddress, xrefs: 0000021815863A15, 0000021815863A93

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: LdrpGetProcedureAddress$LdrpNameToOrdinal$Loading procedure 0x%lx by ordinal$Locating procedure "%s" by name$Procedure "%s" could not be located in DLL at base 0x%p.$minkernel\ntdll\ldrsnap.c
API String ID: 0-1899888655
Opcode ID: ef9c593fa0ed28c1a3ea439c09608a47d71992b4b6e13df4206761f1777fa3b8
Instruction ID: 741af7da5ec624b3d3e7649e721f20fce826ef7e74ba6d4d065400ad4668176c
Opcode Fuzzy Hash: ef9c593fa0ed28c1a3ea439c09608a47d71992b4b6e13df4206761f1777fa3b8
Instruction Fuzzy Hash: 1881F133204750AAE760CB11E4C9BEA33E5F766B58F554521DE8E87A94DF38CE478B00

Function 00000218157CD0FC Relevance: 7.7, Strings: 6, Instructions: 202COMMON

Download Yara Rule

Strings

SXS/RTL: Extended TOC entry array (starting at offset %ld; count = %lu; entry size = %u) is outside bounds of activation context data (%lu bytes), xrefs: 000002181585E8DD
SXS/RTL: Extended TOC section TOC %d (offset: %ld, size: %u) is outside activation context data bounds (%lu bytes), xrefs: 000002181585E966
SXS/RTL: Section found (offset %ld; length %lu) extends past end of activation context data (%lu bytes), xrefs: 00000218157CD256
SXS/RTL: Extended TOC offset (%ld) is outside bounds of activation context data (%lu bytes), xrefs: 000002181585E8A4
SXS/RTL: TOC entry array (offset: %ld; count = %lu; entry size = %u) is outside bounds of activation context data (%lu bytes), xrefs: 000002181585E8F7
SXS/RTL: Activation context data at %p too small; TotalSize = %lu; HeaderSize = %lu, xrefs: 000002181585E9BD

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: SXS/RTL: Activation context data at %p too small; TotalSize = %lu; HeaderSize = %lu$SXS/RTL: Extended TOC entry array (starting at offset %ld; count = %lu; entry size = %u) is outside bounds of activation context data (%lu bytes)$SXS/RTL: Extended TOC offset (%ld) is outside bounds of activation context data (%lu bytes)$SXS/RTL: Extended TOC section TOC %d (offset: %ld, size: %u) is outside activation context data bounds (%lu bytes)$SXS/RTL: Section found (offset %ld; length %lu) extends past end of activation context data (%lu bytes)$SXS/RTL: TOC entry array (offset: %ld; count = %lu; entry size = %u) is outside bounds of activation context data (%lu bytes)
API String ID: 0-732641482
Opcode ID: 7e0468c429655be2f0dfeeac22348687e7988a5ba2a970a34264ce9152dc6ab5
Instruction ID: 012cc293caa93b840f9351aeaae69abf13f412b0e395fda8a692d2271abd6f46
Opcode Fuzzy Hash: 7e0468c429655be2f0dfeeac22348687e7988a5ba2a970a34264ce9152dc6ab5
Instruction Fuzzy Hash: CF81C173310681AAEB64CB45E4D9BEA77D0F7A6B84F548529AE0F03A90DF35C947CB00

Function 00000218158A8B30 Relevance: 7.7, Strings: 6, Instructions: 195COMMON

Download Yara Rule

Strings

Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 00000218158A8DE4
HEAP: , xrefs: 00000218158A8D20, 00000218158A8DBD, 00000218158A8E27
RtlAllocateHeap, xrefs: 00000218158A8B7E
Just allocated block at %p for %Ix bytes, xrefs: 00000218158A8D36
HEAP[%wZ]: , xrefs: 00000218158A8D0D, 00000218158A8DAF, 00000218158A8E19
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 00000218158A8E3D

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: db7a4cce5cde4fd5bbe6e9c1f3e28e8e8289ca2e72809ef67ffd2e41936dd0d4
Instruction ID: c15549a99c3abd771d078eba5bf1098dcc8b3c944d0fb6eaa95e1be466e47533
Opcode Fuzzy Hash: db7a4cce5cde4fd5bbe6e9c1f3e28e8e8289ca2e72809ef67ffd2e41936dd0d4
Instruction Fuzzy Hash: 4C91AD33214680A2FB559B25D5C83EBA7E1FBA6B94F484011DE8D477A6DF38C853CB60

Function 000002181587BB94 Relevance: 7.6, Strings: 6, Instructions: 135COMMON

Download Yara Rule

Strings

AppxStateChange, xrefs: 000002181587BBF6
TargetNtPath, xrefs: 000002181587BBEC
0, xrefs: 000002181587BD54
@, xrefs: 000002181587BD71
\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\AppModel\StateChange, xrefs: 000002181587BBCF
\PackageList\, xrefs: 000002181587BC58

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: 0$@$AppxStateChange$TargetNtPath$\PackageList\$\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\AppModel\StateChange
API String ID: 0-286041519
Opcode ID: a96deac849a5b1dc76c5f8c5ceb054a7690bb2a7dd8179807eedd155316d668f
Instruction ID: 77e7722605f402fe6aa74a5dc50c8a32a8c97268e9b896db5ed6e45bfcd83acf
Opcode Fuzzy Hash: a96deac849a5b1dc76c5f8c5ceb054a7690bb2a7dd8179807eedd155316d668f
Instruction Fuzzy Hash: 8751A037704B8195EB108B65E4983EB77A1FB96785F604126EF8D87A58EF3DC542C700

Function 0000021815821EB0 Relevance: 7.6, Strings: 6, Instructions: 105COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0000021815871369
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 000002181587133D
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 0000021815871394
SXS: %s() passed the empty activation context, xrefs: 0000021815871323
RtlGetAssemblyStorageRoot, xrefs: 000002181587131C, 000002181587135C, 0000021815871388
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 0000021815871334

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 33e3b94073d01a40bc4d3407a18074b32dc67850bc2eb62f4803571db5bef160
Instruction ID: 045f3c76ce572d10a73248d086b6530e6f13c7a4de0b2a54e13044b40da1f3c9
Opcode Fuzzy Hash: 33e3b94073d01a40bc4d3407a18074b32dc67850bc2eb62f4803571db5bef160
Instruction Fuzzy Hash: 98416D73608B84A1EB24CB05E4C87DAB7E1F7AAB44F944116EE4D87BA4DF38C646C740

Function 000002181583A1F0 Relevance: 7.6, Strings: 6, Instructions: 104COMMON

Download Yara Rule

Strings

LanmanNt, xrefs: 000002181583A24B
$, xrefs: 000002181583A2D1
ProductType, xrefs: 000002181583A235
\Registry\Machine\System\CurrentControlSet\Control\ProductOptions, xrefs: 000002181583A21E
WinNt, xrefs: 000002181583A277
ServerNt, xrefs: 000002181583A260

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: $$LanmanNt$ProductType$ServerNt$WinNt$\Registry\Machine\System\CurrentControlSet\Control\ProductOptions
API String ID: 0-710184338
Opcode ID: 5cb4ee27a8377318e880d1b89495136bc51895d946e74c90e5bc25a29f23765c
Instruction ID: e457b92dc8a2ac954ac8d7697a197dca3eda6f10e0bbc7a422d5b845b873917c
Opcode Fuzzy Hash: 5cb4ee27a8377318e880d1b89495136bc51895d946e74c90e5bc25a29f23765c
Instruction Fuzzy Hash: ED51FF37B05B04AAEB51DFA0D0983DE33B5A729788F500526DE4C67B49EFB5C25AC780

Function 00000218157C50E0 Relevance: 7.6, Strings: 6, Instructions: 92COMMON

Download Yara Rule

Strings

Status: 0x%08lx, xrefs: 000002181585D187
@, xrefs: 00000218157C513C
minkernel\ntdll\ldrmap.c, xrefs: 000002181585D167, 000002181585D1A9
0, xrefs: 00000218157C5125
DLL name: %wZ, xrefs: 000002181585D144
LdrpFindKnownDll, xrefs: 000002181585D15B, 000002181585D19D

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: 0$@$DLL name: %wZ$LdrpFindKnownDll$Status: 0x%08lx$minkernel\ntdll\ldrmap.c
API String ID: 0-2787620482
Opcode ID: c38ac47651f8814fb69e07abf3ae537b549b41deedadfac1fdaabec3a8f8ddfd
Instruction ID: 279613991416657a5642db381740a957cf2f01bd97c0275e580e9041566d435f
Opcode Fuzzy Hash: c38ac47651f8814fb69e07abf3ae537b549b41deedadfac1fdaabec3a8f8ddfd
Instruction Fuzzy Hash: C6417A72305741A6E7109B12E4D97DAA7E5F7ABB84F504122EE8E43B95EF39C603C740

Function 000002181581A438 Relevance: 6.5, Strings: 5, Instructions: 211COMMON

Download Yara Rule

Strings

LdrpUnloadNode, xrefs: 000002181586FC57
Unmapping DLL "%wZ", xrefs: 000002181586FC5E
LdrpProcessDetachNode, xrefs: 000002181586FCBD
Uninitializing DLL "%wZ" (Init routine: %p), xrefs: 000002181586FCAB
minkernel\ntdll\ldrsnap.c, xrefs: 000002181586FC6A, 000002181586FCC9

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: LdrpProcessDetachNode$LdrpUnloadNode$Uninitializing DLL "%wZ" (Init routine: %p)$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
API String ID: 0-4123602842
Opcode ID: 40666b59cd3df9e5e371144b5ceaf536ac83556479ddc557c3b7eb5a8f45149d
Instruction ID: 4293a375b7b7f260c18288a3fa88af98642da1a6e67624ec9fb424f9ef267afa
Opcode Fuzzy Hash: 40666b59cd3df9e5e371144b5ceaf536ac83556479ddc557c3b7eb5a8f45149d
Instruction Fuzzy Hash: E4918D33215A40AAEB10DF25E4D83EA63E1E7A6B98F944521DE5D47795DF78C883C380

Function 0000021815831C90 Relevance: 6.5, Strings: 5, Instructions: 209COMMON

Download Yara Rule

Strings

SXS: Unable to open registry key %wZ Status = 0x%08lx, xrefs: 0000021815878C0E
0, xrefs: 0000021815831E26
SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx, xrefs: 0000021815878B66
@, xrefs: 0000021815831E47
SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx, xrefs: 0000021815878B83

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: 0$@$SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx$SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx$SXS: Unable to open registry key %wZ Status = 0x%08lx
API String ID: 0-422673150
Opcode ID: a800af1c559c3f006f4642a1289b9edd3837513a5f0a9308c6f57210ac60473f
Instruction ID: 79177ec4fee130ef8c5ed64ac53baf1bf5ac1b258780406bffd6a849649409a4
Opcode Fuzzy Hash: a800af1c559c3f006f4642a1289b9edd3837513a5f0a9308c6f57210ac60473f
Instruction Fuzzy Hash: 4EA1BC73215B80A6FB619F25D0883EAB7F0F76AB44F100112DE9D47AA4DF39D5A6CB40

Function 000002181581C064 Relevance: 6.4, Strings: 5, Instructions: 161COMMON

Download Yara Rule

Strings

Calling init routine %p for DLL "%wZ", xrefs: 00000218158700AF
H, xrefs: 000002181581C1A0
LdrpInitializeNode, xrefs: 00000218158700C1, 0000021815870105
Init routine %p for DLL "%wZ" failed during DLL_PROCESS_ATTACH, xrefs: 00000218158700F6
minkernel\ntdll\ldrsnap.c, xrefs: 00000218158700CD, 0000021815870111

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: Calling init routine %p for DLL "%wZ"$H$Init routine %p for DLL "%wZ" failed during DLL_PROCESS_ATTACH$LdrpInitializeNode$minkernel\ntdll\ldrsnap.c
API String ID: 0-2227858126
Opcode ID: ff2c51dab56a306a92e0d16e95e7ca09da1d7610a2ea416d06f29500dc86734d
Instruction ID: aecb89c33358b1f03fcc54817c82bea514bd90f0c989f5f4aaaa2c832ee87760
Opcode Fuzzy Hash: ff2c51dab56a306a92e0d16e95e7ca09da1d7610a2ea416d06f29500dc86734d
Instruction Fuzzy Hash: 2F814873208B84A5E760CF14E8C43DA73E4F3A6B98F504225DA8D53BA8DF38C496CB40

Function 00000218158A953C Relevance: 6.4, Strings: 5, Instructions: 158COMMON

Download Yara Rule

Strings

RtlFreeHeap, xrefs: 00000218158A9584, 00000218158A95F2
About to free block at %p, xrefs: 00000218158A9657
HEAP: , xrefs: 00000218158A9644, 00000218158A973B
About to free block at %p with tag %ws, xrefs: 00000218158A975A
HEAP[%wZ]: , xrefs: 00000218158A9636, 00000218158A972D

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
API String ID: 0-3492000579
Opcode ID: f75b609c18c85abc0291d5f05f28ce149412a4e9afc7884bd1479219e3071896
Instruction ID: c4e297227bfcf65a4fdc504d5acc561e3fb34720b45fa141ad607195b473f207
Opcode Fuzzy Hash: f75b609c18c85abc0291d5f05f28ce149412a4e9afc7884bd1479219e3071896
Instruction Fuzzy Hash: 6F619277208680A6FB159F25E4C93EB67E1FBA7B94F488011DE8E476A6DF28C443C750

Function 00000218158B3AD0 Relevance: 6.4, Strings: 5, Instructions: 143COMMON

Download Yara Rule

Strings

Control Panel\Desktop\MuiCached, xrefs: 00000218158B3B41
PreferredUILanguages, xrefs: 00000218158B3C2B
Control Panel\Desktop, xrefs: 00000218158B3B28
MachinePreferredUILanguages, xrefs: 00000218158B3B8B
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 00000218158B3BD7

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-4270026425
Opcode ID: 0769309f3efd5c4dbd975c89418bf32535f57537865584b319054a166206ada1
Instruction ID: 79b9a700c9eb31c08ef17a0712e63ccde0487e0485e0e1b2a0d37a1d833c9e7d
Opcode Fuzzy Hash: 0769309f3efd5c4dbd975c89418bf32535f57537865584b319054a166206ada1
Instruction Fuzzy Hash: 7D614733701B45EAFB10DFA5D4E93EE23E4E769348F9005269E0D56A99EF74C60AC380

Function 0000021815880940 Relevance: 6.4, Strings: 5, Instructions: 127COMMON

Download Yara Rule

Strings

Getting the shim user exports failed with status 0x%08lx, xrefs: 0000021815880AB3
LdrpGetProcApphelpCheckModule, xrefs: 0000021815880A4A, 0000021815880AC6
apphelp.dll, xrefs: 0000021815880975
minkernel\ntdll\ldrinit.c, xrefs: 0000021815880A65, 0000021815880AD2
Loading the shim user DLL "%wZ" failed with status 0x%08lx, xrefs: 0000021815880A51

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: Getting the shim user exports failed with status 0x%08lx$LdrpGetProcApphelpCheckModule$Loading the shim user DLL "%wZ" failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-2433441700
Opcode ID: a960f1a0d39bd8010510a1364d0a2e680b63e724e132c16bacfe38015742f303
Instruction ID: 29ce9359665332881ef9515ccfabf108738c1a937f32eb7493f00f5454e376d4
Opcode Fuzzy Hash: a960f1a0d39bd8010510a1364d0a2e680b63e724e132c16bacfe38015742f303
Instruction Fuzzy Hash: 57513A33304B85A6E710DB25E8C87DA73E1F79A384F904026AA8C87B65DF38D543C740

Function 0000021815832E0C Relevance: 6.4, Strings: 5, Instructions: 104COMMON

Download Yara Rule

Strings

Status: 0x%08lx, xrefs: 0000021815879445
LdrpProtectAndRelocateImage, xrefs: 00000218158793B9, 000002181587941B, 0000021815879457
minkernel\ntdll\ldrfind.c, xrefs: 00000218158793C5, 0000021815879422, 0000021815879463
Changing the protection of the executable at %p failed with status 0x%08lx, xrefs: 000002181587940C
Querying large page info failed with status 0x%08lx, xrefs: 00000218158793AA

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: Changing the protection of the executable at %p failed with status 0x%08lx$LdrpProtectAndRelocateImage$Querying large page info failed with status 0x%08lx$Status: 0x%08lx$minkernel\ntdll\ldrfind.c
API String ID: 0-3846273245
Opcode ID: abcae3a8a8489f1fadcbe02b3f265b1c3f2b21eb6c14adac2405167a411eb1b6
Instruction ID: 877ca841db3aaa92abcf223b43aa8146f2ede6244f917ac171a2ed914345e2c8
Opcode Fuzzy Hash: abcae3a8a8489f1fadcbe02b3f265b1c3f2b21eb6c14adac2405167a411eb1b6
Instruction Fuzzy Hash: 76418E3320868466F3A19B14E5C97DB36E1E7AB758F544215DE8E82BE2DF38C58BC710

Function 00000218157BE1C0 Relevance: 6.3, Strings: 5, Instructions: 89COMMON

Download Yara Rule

Strings

VirtualProtect Failed 0x%p %x, xrefs: 000002181585A987
VirtualQuery Failed 0x%p %x, xrefs: 000002181585A9CF
HEAP: , xrefs: 000002181585A97B, 000002181585A9C3
0, xrefs: 00000218157BE20C
HEAP[%wZ]: , xrefs: 000002181585A969, 000002181585A9B1

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: 0$HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-2326531815
Opcode ID: 76b190f4b2124d594a27fa568aa3616332a0d20b4b6db89f8748376757f24071
Instruction ID: ddb7d64c593b40c0a618ff7751c1739491eebd7bef8c36bd6b8eb5ff892ef2e1
Opcode Fuzzy Hash: 76b190f4b2124d594a27fa568aa3616332a0d20b4b6db89f8748376757f24071
Instruction Fuzzy Hash: 9A415A33210A84A5EB208B15E4D87EB63E1F7A67A4F940612EE6E477E5DF78C587C700

Function 0000021815832924 Relevance: 6.3, Strings: 5, Instructions: 86COMMON

Download Yara Rule

Strings

This != NULL, xrefs: 0000021815879186
minkernel\ntdll\sxsisol.cpp, xrefs: 0000021815879193, 00000218158791CC
rUS.Length <= This->PrivatePreallocatedString->MaximumLength, xrefs: 00000218158791BF
Internal error check failed, xrefs: 000002181587919A, 00000218158791D3
(This->PrivateDynamicallyAllocatedString == NULL) || (This->PrivateDynamicallyAllocatedString->Buffer == NULL), xrefs: 00000218158791B0

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: (This->PrivateDynamicallyAllocatedString == NULL) || (This->PrivateDynamicallyAllocatedString->Buffer == NULL)$Internal error check failed$This != NULL$minkernel\ntdll\sxsisol.cpp$rUS.Length <= This->PrivatePreallocatedString->MaximumLength
API String ID: 0-3589341846
Opcode ID: 07bbbf50b21f4078d9dd3934d7a2a66823b1323a23a329915a539fc90939d452
Instruction ID: f4442bea90834d64ae4fb5c2630ff61f3562a5a82b8fbdfbf6de10cd68acbcb8
Opcode Fuzzy Hash: 07bbbf50b21f4078d9dd3934d7a2a66823b1323a23a329915a539fc90939d452
Instruction Fuzzy Hash: 30415E37202A40A1EA54DF16E5D87AE63F0F76AB84F944512DE4E47B90EF28C5A3C310

Function 0000021815832D2C Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

Status: 0x%08lx, xrefs: 0000021815879357
LdrpRelocateImage, xrefs: 000002181587931F, 000002181587936D
minkernel\ntdll\ldrmap.c, xrefs: 000002181587932B, 0000021815879379
H, xrefs: 000002181587933D
DLL name: %wZ, xrefs: 0000021815879308

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$H$LdrpRelocateImage$Status: 0x%08lx$minkernel\ntdll\ldrmap.c
API String ID: 0-1580685039
Opcode ID: 688fafef5006efe96c6f2117a16b57247b5e09a7b4bf809afbeb823443735ae6
Instruction ID: ea1839bf491e8f8f10152882fe90fd99963ccc8faa9cec6c0346969f23362718
Opcode Fuzzy Hash: 688fafef5006efe96c6f2117a16b57247b5e09a7b4bf809afbeb823443735ae6
Instruction Fuzzy Hash: AC318E33208B84AAEA50DB11E5C87EB67D4F7AA784F540125EE8E43BA5DF38C647C700

Function 000002181580FEF0 Relevance: 6.3, Strings: 5, Instructions: 81COMMON

Download Yara Rule

Strings

Packaged DLL search path computed. Package Dirs: %ws, DllPath: %ws, xrefs: 000002181586D926
Lazy DLL search path computation failed with status: 0x%08lx., xrefs: 000002181586D8A4
minkernel\ntdll\ldrutil.c, xrefs: 000002181586D8B8, 000002181586D8E5, 000002181586D91F
DLL search path computed: %ws, xrefs: 000002181586D8DE
LdrpComputeLazyDllPath, xrefs: 000002181586D89D, 000002181586D8F7, 000002181586D913

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: DLL search path computed: %ws$Lazy DLL search path computation failed with status: 0x%08lx.$LdrpComputeLazyDllPath$Packaged DLL search path computed. Package Dirs: %ws, DllPath: %ws$minkernel\ntdll\ldrutil.c
API String ID: 0-358238182
Opcode ID: d9b9bb1a86f2b326fe48d432a11851cd4063c43b2f81e9aceef26b2c73665142
Instruction ID: e75e2492be89ada6b5ba05ef13693bdc8f594702b498f9e56798efb8b4b62ab4
Opcode Fuzzy Hash: d9b9bb1a86f2b326fe48d432a11851cd4063c43b2f81e9aceef26b2c73665142
Instruction Fuzzy Hash: F8413533204B85A2EB208F14F8987DA73E5F7AA758F504112EA9D43BA9DF38C646C740

Function 000002181580EDAC Relevance: 5.4, Strings: 4, Instructions: 356COMMON

Download Yara Rule

Strings

LdrpSearchPath, xrefs: 000002181586D1A0, 000002181586D3A9
Status: 0x%08lx, xrefs: 000002181586D393
minkernel\ntdll\ldrfind.c, xrefs: 000002181586D18E, 000002181586D3B5
DLL name: %wZ, xrefs: 000002181586D187

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$LdrpSearchPath$Status: 0x%08lx$minkernel\ntdll\ldrfind.c
API String ID: 0-4206496468
Opcode ID: 9521b5448327fa9aa51273bcdda7400f331b41bbb73bf5b1fbfd95ad9a669724
Instruction ID: 400f013bad52b85f0262de07fe6ac80632057751a54ab24372c8318ae2e0ac8b
Opcode Fuzzy Hash: 9521b5448327fa9aa51273bcdda7400f331b41bbb73bf5b1fbfd95ad9a669724
Instruction Fuzzy Hash: 08E19A77706A50A9EB609F65E0887EF67E1E766B88F418016DE9D57B94EF38C483C300

Function 0000021815811EFC Relevance: 5.3, Strings: 4, Instructions: 303COMMON

Download Yara Rule

Strings

!!! Detour detected, disable parallel loading, xrefs: 000002181586E5FF
LdrpDetectDetour, xrefs: 000002181586E5BE, 000002181586E60C
minkernel\ntdll\ldrmap.c, xrefs: 000002181586E5D9, 000002181586E61D
NtSetInformationProcess: ProcessLoaderDetour failed with status 0x%08lx, xrefs: 000002181586E5C5

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: !!! Detour detected, disable parallel loading$LdrpDetectDetour$NtSetInformationProcess: ProcessLoaderDetour failed with status 0x%08lx$minkernel\ntdll\ldrmap.c
API String ID: 0-3708324991
Opcode ID: ae717ded8387fdbd4eb0d12df3b62de6b6b24d41631abd93f2f0a7e75e4e86df
Instruction ID: a0c15dadb90d4bfd805fa1a7646a72396dfc0d78e534e48c4fc7aae5616555bd
Opcode Fuzzy Hash: ae717ded8387fdbd4eb0d12df3b62de6b6b24d41631abd93f2f0a7e75e4e86df
Instruction Fuzzy Hash: F3D16B73214B84AAEB50DF2AE8C83EA27E1F36AB94F544116DE4E077A5DF38C442C740

Function 000002181581E548 Relevance: 5.3, Strings: 4, Instructions: 281COMMON

Download Yara Rule

Strings

LdrpMergeNodes, xrefs: 000002181587036D, 00000218158703AF
Merging a cycle rooted at %wZ., xrefs: 0000021815870387
minkernel\ntdll\ldrddag.c, xrefs: 0000021815870378, 00000218158703C2
Adding cyclic module %wZ., xrefs: 00000218158703B6

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: Adding cyclic module %wZ.$LdrpMergeNodes$Merging a cycle rooted at %wZ.$minkernel\ntdll\ldrddag.c
API String ID: 0-1720079891
Opcode ID: 043020c5b29d29c751ca38547acac88a07ad1949baef2c20ebfd93bac03d0e8e
Instruction ID: e89401cd0691672270f22bd152470fdee7e35f495415b1de519774c1a9ab89e4
Opcode Fuzzy Hash: 043020c5b29d29c751ca38547acac88a07ad1949baef2c20ebfd93bac03d0e8e
Instruction Fuzzy Hash: CAC13673211B44A9EB60CF56E5C83AA37E5F366B84F548426CE4D47794DF38C8A2C340

Function 00000218157C4C38 Relevance: 5.2, Strings: 4, Instructions: 187COMMON

Download Yara Rule

Strings

Status: 0x%08lx, xrefs: 000002181585CFE9
LdrpMinimalMapModule, xrefs: 000002181585CF67, 000002181585CFFF
minkernel\ntdll\ldrmap.c, xrefs: 000002181585CF7A, 000002181585D00B
DLL name: %wZ, xrefs: 000002181585CF6E

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$LdrpMinimalMapModule$Status: 0x%08lx$minkernel\ntdll\ldrmap.c
API String ID: 0-1759440706
Opcode ID: cad6c87835dba6ff70b3f669fddd3a10ec9eb5783d6a23acae571d114d4a5590
Instruction ID: cb7c59c34aed927ad6ff5939991c55dd460f47f0772819aebc825c3afb6ef02a
Opcode Fuzzy Hash: cad6c87835dba6ff70b3f669fddd3a10ec9eb5783d6a23acae571d114d4a5590
Instruction Fuzzy Hash: 2B81BE33204B51A6EB60DF25E4D87EA27E6F76A7A8F100615EE5D43BA8CF38C546C700

Function 0000021815815A30 Relevance: 5.2, Strings: 4, Instructions: 185COMMON

Download Yara Rule

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 000002181586F238
::%hs%u.%u.%u.%u, xrefs: 000002181586F226
ffff:, xrefs: 000002181586F1E9
:%u.%u.%u.%u, xrefs: 000002181586F2B8

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 0-2108815105
Opcode ID: 69b2b847c13de5a79021b069f541dbfe07352da928340f1296ce0f8f47384177
Instruction ID: c1abc5d01009ea3cdac70ad02dadc70d323809b490bc2e8235ffec89be70d4ba
Opcode Fuzzy Hash: 69b2b847c13de5a79021b069f541dbfe07352da928340f1296ce0f8f47384177
Instruction Fuzzy Hash: 647102777142D06AE7209B24E5C42EFB7E1F712B88F588016AE4D57698DF38C947C750

Function 00000218158900A8 Relevance: 5.2, Strings: 4, Instructions: 175COMMON

Download Yara Rule

Strings

SXS: %s() received invalid file index (%u, max is %u) in Assembly (%u), xrefs: 00000218158901AC
h, xrefs: 000002181589015E
RtlpQueryFilesInAssemblyInformationActivationContextDetailedInformation, xrefs: 00000218158900FD, 0000021815890196
SXS: %s() received invalid sub-instance index %lu out of %lu Assemblies in the Acitvation Context, xrefs: 000002181589010B

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: RtlpQueryFilesInAssemblyInformationActivationContextDetailedInformation$SXS: %s() received invalid file index (%u, max is %u) in Assembly (%u)$SXS: %s() received invalid sub-instance index %lu out of %lu Assemblies in the Acitvation Context$h
API String ID: 0-4074404755
Opcode ID: 8da84731218229204a8cd93361a097d34f9adb4f4710e96a52fe3ad721e40135
Instruction ID: 996ddf68bf8585acd902efef7e2e2e85e1ce9c6af7b7048b03d8b47363a6c2b3
Opcode Fuzzy Hash: 8da84731218229204a8cd93361a097d34f9adb4f4710e96a52fe3ad721e40135
Instruction Fuzzy Hash: 677176B3612790EBE720CF55E488A9AB7E5F7A9748F1581299F4D03B44CB34E993CB00

Function 00000218158C9D38 Relevance: 5.2, Strings: 4, Instructions: 174COMMON

Download Yara Rule

Strings

GlobalizationUserSettings, xrefs: 00000218158C9E53
TargetNtPath, xrefs: 00000218158C9E4C
0, xrefs: 00000218158C9F12
\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 00000218158C9E31

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: 0$GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-1436388672
Opcode ID: d33c5f0c9c5f5a4987733f3c1e8ced11be68c1c884f1e330a1b86ba90eb9f337
Instruction ID: 83923f29cba1ba8bfe0a67dbdc94b83913c03ac8eda77ca90be3e2f0dcf6e571
Opcode Fuzzy Hash: d33c5f0c9c5f5a4987733f3c1e8ced11be68c1c884f1e330a1b86ba90eb9f337
Instruction Fuzzy Hash: 6B716933314B45A6FB008B26E8A83EAA7E1F7AA788F404022DF4D57B55EF79D546C740

Function 00000218157CFA14 Relevance: 5.2, Strings: 4, Instructions: 166COMMON

Download Yara Rule

Strings

Status: 0x%08lx, xrefs: 000002181585FF2D
minkernel\ntdll\ldrapi.c, xrefs: 000002181585FF15, 000002181585FF4B
LdrpLoadDllInternal, xrefs: 000002181585FF09, 000002181585FF3F
DLL name: %wZ, xrefs: 000002181585FEF7

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$LdrpLoadDllInternal$Status: 0x%08lx$minkernel\ntdll\ldrapi.c
API String ID: 0-3213092628
Opcode ID: 7701d67c5a0153aea717840d74723d4ca3db6ca73d76337b96434bc3384c4ad8
Instruction ID: 35fe5c1f467fe361f9fd8c09a9565086798c45abdfbc9fe76d08dccf3e23217a
Opcode Fuzzy Hash: 7701d67c5a0153aea717840d74723d4ca3db6ca73d76337b96434bc3384c4ad8
Instruction Fuzzy Hash: 50715C33204B81A9EB609F25E4A93DA77E1E7AAB84F544421DE9D87BA5DF38C443C701

Function 000002181580F0B4 Relevance: 5.1, Strings: 4, Instructions: 129COMMON

Download Yara Rule

Strings

Status: 0x%08lx, xrefs: 000002181586D3FD
minkernel\ntdll\ldrfind.c, xrefs: 000002181586D3EB, 000002181586D41F
LdrpResolveDllName, xrefs: 000002181586D3DF, 000002181586D413
DLL name: %wZ, xrefs: 000002181586D3C8

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$LdrpResolveDllName$Status: 0x%08lx$minkernel\ntdll\ldrfind.c
API String ID: 0-992240436
Opcode ID: 26857c727e17897b218fd984172aadc402c5d00fc10a5a9914687e2eefea5e38
Instruction ID: 81abc624b44e4573555be836c73df372609e717a107def47ea688c928700a766
Opcode Fuzzy Hash: 26857c727e17897b218fd984172aadc402c5d00fc10a5a9914687e2eefea5e38
Instruction Fuzzy Hash: B751BE33614780A6FB219B11E4C87DB63E0F7AA784F448112EEAE47B95EF78D592C740

Function 0000021815830E04 Relevance: 5.1, Strings: 4, Instructions: 120COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrdload.c, xrefs: 0000021815878446
Unknown, xrefs: 0000021815878413
Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx, xrefs: 000002181587842B
LdrpRedirectDelayloadFailure, xrefs: 000002181587841F

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
API String ID: 0-3349709885
Opcode ID: a4fac57d8a51f6061942cf3ca09f93880188e8318465e8a61b298fb83938f65a
Instruction ID: 200fc14dd420980f47af86a5b19c27fb653d8ac9bceb85e3f40ab30bb47373b0
Opcode Fuzzy Hash: a4fac57d8a51f6061942cf3ca09f93880188e8318465e8a61b298fb83938f65a
Instruction Fuzzy Hash: F7515733705744EAEBA18F61E4887DA23E1E76AB98F540025DE8D17B98DF38C44BC740

Function 00000218157C0380 Relevance: 5.1, Strings: 4, Instructions: 118COMMON

Download Yara Rule

Strings

LdrResolveDelayLoadedAPI, xrefs: 00000218157C04B0, 000002181585B210
LdrResolveDelayLoadedAPI:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 00000218157C04A1
minkernel\ntdll\ldrdload.c, xrefs: 00000218157C04BC, 000002181585B21C
LdrResolveDelayLoadedAPI:Unable to locate DLL based at 0x%p.Status = 0x%x, xrefs: 000002181585B201

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: LdrResolveDelayLoadedAPI$LdrResolveDelayLoadedAPI:Unable to locate DLL based at 0x%p.Status = 0x%x$LdrResolveDelayLoadedAPI:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrdload.c
API String ID: 0-1756274442
Opcode ID: b88ea02462bc025a573015ed81a13cfde089274e7014f0a0105a807ed334faa3
Instruction ID: c8ee579114f7f6c5203654de743d563a53d1e75c3f1ba5c53722209715caef95
Opcode Fuzzy Hash: b88ea02462bc025a573015ed81a13cfde089274e7014f0a0105a807ed334faa3
Instruction Fuzzy Hash: BE419E33214785A6EA61DB15F8D9BDB62E0F7A7780F140425EE8D93BA5DF38C642C740

Function 00000218158AAD44 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

This is located in the %s field of the heap header., xrefs: 00000218158AAED2
HEAP: , xrefs: 00000218158AAE20, 00000218158AAEC3
HEAP[%wZ]: , xrefs: 00000218158AAE0E, 00000218158AAEA9
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 00000218158AAE40

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-336120773
Opcode ID: b71e40a072b7d5a7c1989120eb19d234d11030740bf8de39266d4688e4bbd9ab
Instruction ID: 7651f96c766722df3f6f6c143fb603c28bb8172992f0d3c051939739bcf28ffd
Opcode Fuzzy Hash: b71e40a072b7d5a7c1989120eb19d234d11030740bf8de39266d4688e4bbd9ab
Instruction Fuzzy Hash: 21414A73201A40A2EB10CF15E4C83EBA3E1F7A6B94F544122DE9E47B96DF79C456C350

Function 00000218157C4E80 Relevance: 5.1, Strings: 4, Instructions: 102COMMON

Download Yara Rule

Strings

LdrpFindDllActivationContext, xrefs: 000002181585D072, 000002181585D0B8
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 000002181585D079
Querying the active activation context failed with status 0x%08lx, xrefs: 000002181585D0A5
minkernel\ntdll\ldrsnap.c, xrefs: 000002181585D085, 000002181585D0C4

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: b3db1ada55566f29ce300c7f8a56d9bc3a74de6439a0c7eb5736e49b28f733de
Instruction ID: 756532c0a7a4948fe982cb01bed95f8198cdd019981aa64325103e1a213c4d36
Opcode Fuzzy Hash: b3db1ada55566f29ce300c7f8a56d9bc3a74de6439a0c7eb5736e49b28f733de
Instruction Fuzzy Hash: 7F41C173205755B1FB608B01E0DDBEAA7E2F3A7B99F458916DA0D03A90DF78C982C300

Function 00000218157C68A0 Relevance: 5.1, Strings: 4, Instructions: 102COMMON

Download Yara Rule

Strings

Status: 0x%08lx, xrefs: 000002181585D694
minkernel\ntdll\ldrapi.c, xrefs: 000002181585D64B, 000002181585D6B6
LdrGetDllHandleEx, xrefs: 000002181585D63F, 000002181585D6AA
DLL name: %wZ, xrefs: 000002181585D628

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$LdrGetDllHandleEx$Status: 0x%08lx$minkernel\ntdll\ldrapi.c
API String ID: 0-4104331901
Opcode ID: 23e170ce7bbda4a7a7276296c09a79c9220fc18554abaeafb2c52238f161871f
Instruction ID: 265bcc35cc48524e32434aa5d5b1541d1477292e3b2293f6d3975500ab7a97c2
Opcode Fuzzy Hash: 23e170ce7bbda4a7a7276296c09a79c9220fc18554abaeafb2c52238f161871f
Instruction Fuzzy Hash: 6D41D033219B81A5FA60DB15E4ED7EA63E0E7AB780F500416DE8E4B791DF38C6078740

Function 00000218157FD1E4 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

!, xrefs: 00000218157FD2BF
@, xrefs: 00000218157FD2A4
\??\, xrefs: 00000218157FD239
0, xrefs: 00000218157FD27E

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: !$0$@$\??\
API String ID: 0-2378251065
Opcode ID: d11d007897973202912b86bbf632058817eb397bdfa4d5d6bba43af5ccce839b
Instruction ID: 13a2c93d57401110ea664e51fcff24ad2e6a6e5518284dbb0ed6c7d527763f58
Opcode Fuzzy Hash: d11d007897973202912b86bbf632058817eb397bdfa4d5d6bba43af5ccce839b
Instruction Fuzzy Hash: 89414333628B8496E700DB61E48928EB7B4FB99784F515116EB9D47B58EF38C146CB40

Function 000002181581A914 Relevance: 5.1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

Strings

LdrpProcessDetachNode, xrefs: 000002181586FCBD
Uninitializing DLL "%wZ" (Init routine: %p), xrefs: 000002181586FCAB
H, xrefs: 000002181581A9B3
minkernel\ntdll\ldrsnap.c, xrefs: 000002181586FCC9

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: H$LdrpProcessDetachNode$Uninitializing DLL "%wZ" (Init routine: %p)$minkernel\ntdll\ldrsnap.c
API String ID: 0-2965656906
Opcode ID: 4f614e716af26858b3d6e8abb1bca9cdb51dfeb918870fced8501e769bfe331b
Instruction ID: 98ed82c98dbc4118f2160b56c5ac370f8790e1a8731abea67a77386d05e58170
Opcode Fuzzy Hash: 4f614e716af26858b3d6e8abb1bca9cdb51dfeb918870fced8501e769bfe331b
Instruction Fuzzy Hash: C4418D33225B80A5E760CF11E5983AEB3E4F7A6B84F5591259E8C43B98DF78C496C780

Function 00000218158A9478 Relevance: 5.0, Strings: 4, Instructions: 44COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 00000218158A94C3
RtlDestroyHeap, xrefs: 00000218158A94E7
HEAP[%wZ]: , xrefs: 00000218158A94A9
May not destroy the process heap at %p, xrefs: 00000218158A94D2

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $May not destroy the process heap at %p$RtlDestroyHeap
API String ID: 0-4256168463
Opcode ID: 2dc8ca39f5b21cb1f58b5cfceb1e46fa347bda9bd1d3e3d9118ebff7a581c0db
Instruction ID: 6f3fda9dc7c3241e981b05ec6e61307c65600b941a540a1a7f77dfc9297ff2a9
Opcode Fuzzy Hash: 2dc8ca39f5b21cb1f58b5cfceb1e46fa347bda9bd1d3e3d9118ebff7a581c0db
Instruction Fuzzy Hash: 2A115AB7219A04A1FF509B29E4C93EB23E1F7A2784F4450128D0D4B6A6EF28C58BC310

Function 000002181580E510 Relevance: 5.0, Strings: 4, Instructions: 37COMMON

Download Yara Rule

Strings

Invalid heap signature for heap at %p, xrefs: 000002181586D0A6
HEAP: , xrefs: 000002181586D097
, passed to %s, xrefs: 000002181586D0BA
HEAP[%wZ]: , xrefs: 000002181586D085

Memory Dump Source

Source File: 00000003.00000003.2174544568.00000218157B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000218157B0000, based on PE: true

Associated: 00000003.00000003.2174518607.00000218157B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174670186.00000218158CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2174715658.0000021815916000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175017636.0000021815922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175046572.0000021815931000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2175070322.0000021815936000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_218157b0000_rundll32.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p
API String ID: 0-2470418468
Opcode ID: ed0dbc8e4f4792f99bca2f4832526f942fd116cdcbe3696325fa0972c94868d2
Instruction ID: 2a1b903351a8f791d0e14d2676c8d3e612634ff0940cc6afe2eb746e00d112cf
Opcode Fuzzy Hash: ed0dbc8e4f4792f99bca2f4832526f942fd116cdcbe3696325fa0972c94868d2
Instruction Fuzzy Hash: 1E012933201640B1FF109B15E9D93EB23E1EBB6B84F944021DD1D87AA6DE38C587C711

Analysis Process: rundll32.exePID: 1416, Parent PID: 3416COMMON

Non-executed Functions

Function 0000018301FDC920 Relevance: 37.7, Strings: 30, Instructions: 239COMMON

Download Yara Rule

Strings

If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0000018302040B96
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0000018302040B78
This failed because of error %Ix., xrefs: 0000018302040D05
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0000018302040D59
The critical section is owned by thread %p., xrefs: 0000018302040C68
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0000018302040B86
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0000018302040B5D
The resource is owned shared by %d threads, xrefs: 0000018302040C23
an invalid address, %p, xrefs: 0000018302040DBB
read from, xrefs: 0000018302040D80
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0000018302040C81
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0000018302040D50
The resource is owned exclusively by thread %p, xrefs: 0000018302040C11
*** Resource timeout (%p) in %ws:%s, xrefs: 0000018302040BE5
*** An Access Violation occurred in %ws:%s, xrefs: 0000018302040D6A
The instruction at %p referenced memory at %p., xrefs: 0000018302040CEE
write to, xrefs: 0000018302040D87
*** enter .cxr %p for the context, xrefs: 0000018302040E04
The instruction at %p tried to %s , xrefs: 0000018302040D9F
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0000018302040E3F
*** then kb to get the faulting stack, xrefs: 0000018302040E14
*** Inpage error in %ws:%s, xrefs: 0000018302040CCB
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0000018302040BA6
Go determine why that thread has not released the critical section., xrefs: 0000018302040C76
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0000018302040D44
a NULL pointer, xrefs: 0000018302040DCD
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0000018302040C33
<unknown>, xrefs: 0000018302040AF9
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0000018302040C49
*** enter .exr %p for the exception record, xrefs: 0000018302040DE5

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: b382d40916eae78fb322a776e024020a4f6379aa4851f00f97a9faaa9c442b5d
Instruction ID: 04ec720218f731dbda2b4cc06dfd1b8b25a43faabb87e0a84118bd8ba9256d4e
Opcode Fuzzy Hash: b382d40916eae78fb322a776e024020a4f6379aa4851f00f97a9faaa9c442b5d
Instruction Fuzzy Hash: 91B18FB2600F4092E71ADF51D8446EA33A2B788F48F69C526BA6D6B791DF38C709C340

Function 0000018301FABC18 Relevance: 17.7, Strings: 14, Instructions: 217COMMON

Download Yara Rule

Strings

SE_InstallBeforeInit, xrefs: 0000018301FABC92
SE_DllLoaded, xrefs: 0000018301FABCFC
Could not locate procedure "%s" in the shim user DLL, xrefs: 000001830200003B
SE_GetProcAddressForCaller, xrefs: 0000018301FABE05
SE_LdrResolveDllName, xrefs: 0000018301FABDD0
SE_ProcessDying, xrefs: 0000018301FABD9B
LdrpGetShimEngineInterface, xrefs: 0000018302000028
SE_InstallAfterInit, xrefs: 0000018301FABCC7
SE_ShimDllLoaded, xrefs: 0000018301FABC5D
minkernel\ntdll\ldrinit.c, xrefs: 0000018302000034
ApphelpCheckModule, xrefs: 0000018301FABE3A
SE_InitializeEngine, xrefs: 0000018301FABC26
SE_DllUnloaded, xrefs: 0000018301FABD31
SE_LdrEntryRemoved, xrefs: 0000018301FABD66

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim user DLL$LdrpGetShimuserInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_Initializeuser$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$minkernel\ntdll\ldrinit.c
API String ID: 0-1094803608
Opcode ID: 7fa8ce1c2e0970e1d448a219135c5cfc8aa92bc7a7c9598b19bf9368ff82cbcd
Instruction ID: a049c71f3ffd13faaff38ed60712b8f18a46cf7ab86b1f563d6bfa70fe86ba20
Opcode Fuzzy Hash: 7fa8ce1c2e0970e1d448a219135c5cfc8aa92bc7a7c9598b19bf9368ff82cbcd
Instruction Fuzzy Hash: 12A1A072710B5586FB01CBB8E8917DE27A5F744B88F989112BE2D87A69DF38C349C740

Function 0000018301F52DE0 Relevance: 15.3, Strings: 12, Instructions: 334COMMON

Download Yara Rule

Strings

SXS: %s() - Caller asked to use activation context from address in .dll but passed NULL, xrefs: 0000018301F53161
SXS: %s() - Caller asked to use activation context from hmodule but passed NULL, xrefs: 0000018301F5316A
SXS: %s() - Caller passed invalid flags (0x%08lx), xrefs: 0000018301F53105
SXS: %s() - Caller passed meaningless flags/class combination (0x%08lx/0x%08lx), xrefs: 0000018301F53095
SXS: %s() - caller supplied no buffer to populate and no place to return required byte count, xrefs: 0000018301F52FF2
SXS: %s() - Caller passed invalid address, not in any .dll (%p), xrefs: 0000018301F531E8
SXS: %s() - caller asked to use active activation context but passed %p, xrefs: 0000018301F53190
RtlQueryInformationActivationContext, xrefs: 0000018301F52FEB, 0000018301F5308E, 0000018301F530FE, 0000018301F5311D, 0000018301F5313F, 0000018301F53171, 0000018301F53189, 0000018301F531E1, 0000018301F53260, 0000018301F53299
SXS: %s() - caller asked for unknown information class %lu, xrefs: 0000018301F53124
SXS: %s() - caller passed nonzero buffer length but NULL buffer pointer, xrefs: 0000018301F53146
SXS: %s() - Caller passed invalid hmodule (%p), xrefs: 0000018301F53267
SXS: %s() - internal coding error; missing switch statement branch for InfoClass == %lu, xrefs: 0000018301F532A0

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: RtlQueryInformationActivationContext$SXS: %s() - Caller asked to use activation context from address in .dll but passed NULL$SXS: %s() - Caller asked to use activation context from hmodule but passed NULL$SXS: %s() - Caller passed invalid address, not in any .dll (%p)$SXS: %s() - Caller passed invalid flags (0x%08lx)$SXS: %s() - Caller passed invalid hmodule (%p)$SXS: %s() - Caller passed meaningless flags/class combination (0x%08lx/0x%08lx)$SXS: %s() - caller asked for unknown information class %lu$SXS: %s() - caller asked to use active activation context but passed %p$SXS: %s() - caller passed nonzero buffer length but NULL buffer pointer$SXS: %s() - caller supplied no buffer to populate and no place to return required byte count$SXS: %s() - internal coding error; missing switch statement branch for InfoClass == %lu
API String ID: 0-3344358112
Opcode ID: 3ff5508455042caa0a8fe042038ba14f8e077a5de2355db3dee3dbaabdd423cb
Instruction ID: ff25b7b0379a2fa7e6a7574a2c8fc8b5f9720ad081002e067f0752d84e45050a
Opcode Fuzzy Hash: 3ff5508455042caa0a8fe042038ba14f8e077a5de2355db3dee3dbaabdd423cb
Instruction Fuzzy Hash: E3E1BB32604F8186E721DB19A4407EE77A0F788F84F588326BB6A57B9ADF39C745C700

Function 0000018301FB2590 Relevance: 14.1, Strings: 11, Instructions: 387COMMON

Download Yara Rule

Strings

SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 000001830200163C
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 0000018302001698
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 00000183020016C2
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 0000018302001716
!, xrefs: 0000018301FB293A
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 000001830200155E
RtlpResolveAssemblyStorageMapEntry, xrefs: 000001830200175B
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 0000018302001604
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 00000183020016E0
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 0000018302001737
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 000001830200176E

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: !$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-2172119191
Opcode ID: e6d02611bf700dc5259ab5be9d1dee7d1cd20074aa457e0abfdaf2fdfbb6fa94
Instruction ID: 69fe2f11b43d5bcda343ca0777fbbd3448ff2b49a897df44d3e4c86b9e8d8296
Opcode Fuzzy Hash: e6d02611bf700dc5259ab5be9d1dee7d1cd20074aa457e0abfdaf2fdfbb6fa94
Instruction Fuzzy Hash: 3A028E32604B818AF711CBA0D4806EEB7B4F748B88F688216FA9D57B99DF38D755C740

Function 000001830203AF00 Relevance: 11.7, Strings: 9, Instructions: 489COMMON

Download Yara Rule

Strings

Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 000001830203B5A2
Heap block at %p is not last block in segment (%p), xrefs: 000001830203B4CE
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 000001830203B628
HEAP[%wZ]: , xrefs: 000001830203B3E1, 000001830203B43A, 000001830203B4AC, 000001830203B530, 000001830203B57F, 000001830203B606, 000001830203B666
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 000001830203B45D
Free Heap block %p modified at %p after it was freed, xrefs: 000001830203B406
Heap block at %p has incorrect segment offset (%x), xrefs: 000001830203B553
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 000001830203B688
HEAP: , xrefs: 000001830203B3F3, 000001830203B44C, 000001830203B4BE, 000001830203B542, 000001830203B591, 000001830203B618, 000001830203B678

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 312c84b731c6e7f0d4f73296451f14b52782add091b6bf8e27702144841eef8a
Instruction ID: a536e1888f6a68ece768d4798a0365f9b2cadd940c19e40cf7e23f6d698bb444
Opcode Fuzzy Hash: 312c84b731c6e7f0d4f73296451f14b52782add091b6bf8e27702144841eef8a
Instruction Fuzzy Hash: D722867220478486EB269F25D4507E9B7A5F745F8CF6CC002EAAA4B3A6DF38C790C714

Function 000001830203A764 Relevance: 10.4, Strings: 8, Instructions: 362COMMON

Download Yara Rule

Strings

Non-Dedicated free list element %p is out of order, xrefs: 000001830203A969
Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 000001830203ABB7
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 000001830203AD1E
HEAP[%wZ]: , xrefs: 000001830203A948, 000001830203A99A, 000001830203AB34, 000001830203AB92, 000001830203AC8D, 000001830203ACF4
dedicated (%04Ix) free list element %p is marked busy, xrefs: 000001830203A9BC
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 000001830203AB55
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 000001830203ACAF
HEAP: , xrefs: 000001830203A95A, 000001830203A9AC, 000001830203AB46, 000001830203ABA4, 000001830203AC9F, 000001830203AD06

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: 1784c3dcfeff741ecb3cdecb4d8a92246f06b0910236960104e71aef30d624b8
Instruction ID: 28a66b5bc38b67f17a77184708b4d0d0019ace2b9aebc253dfcfe1dc08ec1770
Opcode Fuzzy Hash: 1784c3dcfeff741ecb3cdecb4d8a92246f06b0910236960104e71aef30d624b8
Instruction Fuzzy Hash: 90027872300B8096EB56DB26D5407ED37A9F748F98F688412FAAA47B95DF34C7A1C304

Function 0000018302039B20 Relevance: 10.3, Strings: 8, Instructions: 294COMMON

Download Yara Rule

Strings

Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0000018302039F97
HEAP[%wZ]: , xrefs: 0000018302039C75, 0000018302039D6F, 0000018302039EC9, 0000018302039F62, 0000018302039FCC
About to reallocate block at %p to %Ix bytes, xrefs: 0000018302039C99
RtlReAllocateHeap, xrefs: 0000018302039B85, 0000018302039C31
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 0000018302039D9F
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 0000018302039FF0
Just reallocated block at %p to %Ix bytes, xrefs: 0000018302039EF2
HEAP: , xrefs: 0000018302039C83, 0000018302039D7D, 0000018302039EDC, 0000018302039F70, 0000018302039FDA

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 9d4b88e273e7c52128efdeae803a0fae9a3b5188c08abf6b34ea9f7f436da4d2
Instruction ID: 2edf960d0589f2f687498ed1e23d20cebb9456080e026e75e568166176fa5d48
Opcode Fuzzy Hash: 9d4b88e273e7c52128efdeae803a0fae9a3b5188c08abf6b34ea9f7f436da4d2
Instruction Fuzzy Hash: 6FD18E72204B8481EB52DB26D4407EA77A5FB84F80F6DC012FAAA473A6DF78CB45C744

Function 0000018301FB2ADC Relevance: 9.0, Strings: 7, Instructions: 271COMMON

Download Yara Rule

Strings

SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 000001830200191F
SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p, xrefs: 0000018302001987
SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING., xrefs: 0000018302001859
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 00000183020018C4
RtlpProbeAssemblyStorageRootForAssembly, xrefs: 00000183020019A4
!, xrefs: 0000018301FB2C7E
SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed., xrefs: 000001830200188D

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: !$RtlpProbeAssemblyStorageRootForAssembly$SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p$SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.$SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING.$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx
API String ID: 0-529398606
Opcode ID: e258e43ece415bda32cafe0998fabf99b76c0b09502ffecafc8f9239ee1b3eb9
Instruction ID: 3221a5d5c37886a602eeb179531c7acbc83056fdf561c60b8058174f682d1af0
Opcode Fuzzy Hash: e258e43ece415bda32cafe0998fabf99b76c0b09502ffecafc8f9239ee1b3eb9
Instruction Fuzzy Hash: 6BC19C32A04B5086FB118F65D4903EEB7A1F788B88F688225BEAD17799DF38C755C740

Function 0000018301F5C2B4 Relevance: 7.9, Strings: 6, Instructions: 444COMMON

Download Yara Rule

Strings

minkernel\ntdll\sxsisol.cpp, xrefs: 0000018301FEE3C3, 0000018301FEE548
Status != STATUS_NOT_FOUND, xrefs: 0000018301FEE53B
Internal error check failed, xrefs: 0000018301FEE3CA, 0000018301FEE54F
[%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 0000018301FEE38B
!(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 0000018301FEE3B6
sxsisol_SearchActCtxForDllName, xrefs: 0000018301FEE37B

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
API String ID: 0-4188369865
Opcode ID: b1f0ad58b0586960047d9a50791e5c70df975ebdb656d446f6027201126353cd
Instruction ID: d571e573736326145a14e8fbc86cae398f8592ae451fc8e8efc88d59c195139e
Opcode Fuzzy Hash: b1f0ad58b0586960047d9a50791e5c70df975ebdb656d446f6027201126353cd
Instruction Fuzzy Hash: FD128E76200F5086EB248B65E4403EE77A4F748F88F549216FB6A47B99EF38D764C740

Function 0000018301F5F630 Relevance: 5.4, Strings: 4, Instructions: 357COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 0000018301F5F7B9
?, xrefs: 0000018301FEFE28
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 0000018301F5F7D7
HEAP: , xrefs: 0000018301F5F79E

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: ?$HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3505926276
Opcode ID: 57cc9a81001e4e4ed9c646aa42d00af107b4c94d0e5fe88ad0e918f5d9ead0fd
Instruction ID: b92299eb356ea0fe8c8bb12b985d7e25efaa133a625b7b9eefb201d561ae51a7
Opcode Fuzzy Hash: 57cc9a81001e4e4ed9c646aa42d00af107b4c94d0e5fe88ad0e918f5d9ead0fd
Instruction Fuzzy Hash: 26E1DF72204BD086EB248B2595143EEA7A0F705F98F0CC256EBBA0BB99DF38D355D710

Function 0000018301F5CA18 Relevance: 5.3, Strings: 4, Instructions: 259COMMON

Download Yara Rule

Strings

SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 0000018301FEE78C
SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 0000018301FEE6F2
RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 0000018301FEE75C
SsHd, xrefs: 0000018301F5CA50

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
API String ID: 0-2905229100
Opcode ID: 86f5ab345584fe1295c7d874a37ef7d52c5d9079da38fe2bc6587396bd451b66
Instruction ID: 479736e770129877f22081f6c3dcc7fe09dc798876fde9fc24169bce0b02c870
Opcode Fuzzy Hash: 86f5ab345584fe1295c7d874a37ef7d52c5d9079da38fe2bc6587396bd451b66
Instruction Fuzzy Hash: DBB17932B00A409AEB64CF65D5407DD73B5F708B88F088616AF2A57B99DF34DB56C700

Function 0000018301F5E940 Relevance: 5.3, Strings: 4, Instructions: 257COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 0000018301FEF79C, 0000018301FEF87D
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 0000018301FEF7BA
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 0000018301FEF8A3
HEAP: , xrefs: 0000018301FEF7AE, 0000018301FEF897

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 72280a51bfa5c30c95c8b3741b7a1b1782cb1b871b5b8330eacba0194786212c
Instruction ID: 0fc5209734fb1c1b20f5160daff2160879a824269ecb2cc6ccad2ce95dca5757
Opcode Fuzzy Hash: 72280a51bfa5c30c95c8b3741b7a1b1782cb1b871b5b8330eacba0194786212c
Instruction Fuzzy Hash: 2AB1AE72204B8086EB648B25E4407EDB7A1F755F94F1CC225EBAA47B9ADF38C785D310

Function 0000018301F93A5C Relevance: 5.2, Strings: 4, Instructions: 216COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 0000018301FFAB0C
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 0000018301FFAB58
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 0000018301FFABF0
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0000018301FFABA4

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 185bdc8d650c613d0b23549c6ca3cf8ca1f7cbc634b0280679e4feb69342ce5c
Instruction ID: 67afcae3efea27ea48af51eabffce08f166971574696130da8d097a07123b281
Opcode Fuzzy Hash: 185bdc8d650c613d0b23549c6ca3cf8ca1f7cbc634b0280679e4feb69342ce5c
Instruction Fuzzy Hash: 2FB12636605A8485EB20EF21E4403ED37A5F789F98F188226EA6D47B99DF39CB45C740

Function 000001830204ABD4 Relevance: 31.4, Strings: 25, Instructions: 197COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 000001830204AC01
heap_failure_listentry_corruption, xrefs: 000001830204AD1B
Heap error detected at %p (heap handle %p), xrefs: 000001830204AC3C
heap_failure_buffer_underrun, xrefs: 000001830204AC8F
heap_failure_invalid_allocation_type, xrefs: 000001830204AD3F
heap_failure_block_not_busy, xrefs: 000001830204ACE6
Parameter3: %p, xrefs: 000001830204AE84
HEAP: , xrefs: 000001830204ABFA
heap_failure_freelists_corruption, xrefs: 000001830204AD24
heap_failure_virtual_block_corruption, xrefs: 000001830204ACA7
heap_failure_buffer_overrun, xrefs: 000001830204AC9B
heap_failure_generic, xrefs: 000001830204ACCB
heap_failure_cross_heap_operation, xrefs: 000001830204AD2D
Parameter1: %p, xrefs: 000001830204ADE0
heap_failure_internal, xrefs: 000001830204ACDD
heap_failure_entry_corruption, xrefs: 000001830204ACBF
heap_failure_lfh_bitmap_mismatch, xrefs: 000001830204AD12
Parameter2: %p, xrefs: 000001830204AE32
heap_failure_usage_after_free, xrefs: 000001830204AD36
Last known valid blocks: before - %p, after - %p, xrefs: 000001830204AEDF
heap_failure_unknown, xrefs: 000001830204ACD4
heap_failure_invalid_argument, xrefs: 000001830204AD48
Stack trace available at %p, xrefs: 000001830204AF2F
heap_failure_multiple_entries_corruption, xrefs: 000001830204ACB3
Error code: %d - %s, xrefs: 000001830204AD8B

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: d74199e69c38fe6e870a676e079d1a7fc83f4ebfde18a6da8f65b7161e985e03
Instruction ID: 0af6f913578c310f4eabf900cf04210b4ab75fdb96b9a30a8c174af5ee848040
Opcode Fuzzy Hash: d74199e69c38fe6e870a676e079d1a7fc83f4ebfde18a6da8f65b7161e985e03
Instruction Fuzzy Hash: D4A1F6B5780B0981FA5AAB16D9A43E92361F794F80F7DC102F93A06BA5DF29C745C380

Function 0000018301FB832C Relevance: 15.1, Strings: 12, Instructions: 125COMMON

Download Yara Rule

Strings

RtlpCrackActivationContextStringSectionHeader, xrefs: 0000018302004573, 000001830200459B, 00000183020045F7
SXS: %s() found assembly information section with user data extending beyond section data Section header: %p UserDataSize: %lu UserDataOffset: %lu Section size: %Iu, xrefs: 0000018302004589
SsHd, xrefs: 0000018301FB837B
SXS: %s() passed string section at %p only %Iu bytes long; that's not even enough for the 4-byte magic and 4-byte header length!, xrefs: 0000018302004547
SXS: %s() found assembly information section with user data overlapping section header Section header: %p Header Size: %lu User Data Offset: %lu, xrefs: 00000183020045D0
SXS: %s() found assembly information section with user data too small Section header: %p UserDataSize: %lu; needed: %lu, xrefs: 00000183020045E5
SXS: %s() found assembly information section with search structure overlapping section header Section header: %p Header Size: %lu SearchStructureOffset: %lu, xrefs: 0000018302004621
SXS: %s() found assembly information section with element list overlapping section header Section header: %p Header Size: %lu ElementListOffset: %lu, xrefs: 000001830200460C
SXS: %s() found assembly information section with wrong magic value Expected %lu; got %lu, xrefs: 0000018302004566
SXS: %s() passed string section at %p claims %lu byte header size; that doesn't even include the HeaderSize member!, xrefs: 0000018302004554
SXS: %s() passed string section at %p with too small of a header HeaderSize: %lu Required: %lu, xrefs: 00000183020045C2
8, xrefs: 00000183020045DD

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: 8$RtlpCrackActivationContextStringSectionHeader$SXS: %s() found assembly information section with element list overlapping section header Section header: %p Header Size: %lu ElementListOffset: %lu$SXS: %s() found assembly information section with search structure overlapping section header Section header: %p Header Size: %lu SearchStructureOffset: %lu$SXS: %s() found assembly information section with user data extending beyond section data Section header: %p UserDataSize: %lu UserDataOffset: %lu Section size: %Iu$SXS: %s() found assembly information section with user data overlapping section header Section header: %p Header Size: %lu User Data Offset: %lu$SXS: %s() found assembly information section with user data too small Section header: %p UserDataSize: %lu; needed: %lu$SXS: %s() found assembly information section with wrong magic value Expected %lu; got %lu$SXS: %s() passed string section at %p claims %lu byte header size; that doesn't even include the HeaderSize member!$SXS: %s() passed string section at %p only %Iu bytes long; that's not even enough for the 4-byte magic and 4-byte header length!$SXS: %s() passed string section at %p with too small of a header HeaderSize: %lu Required: %lu$SsHd
API String ID: 0-1021861106
Opcode ID: f8080ffd889e90f1ebfe05433bf4520886ae552e69d051b4025ef3fe2b31d659
Instruction ID: ac3038059bff641458a40d4a3ae9ea5f719a247a9e2bc4c238bae68c61a9035d
Opcode Fuzzy Hash: f8080ffd889e90f1ebfe05433bf4520886ae552e69d051b4025ef3fe2b31d659
Instruction Fuzzy Hash: 62516A72604B40C6E766CF14E480ADE77A9F784B84FACC216FA6947A95DF38CB54CB04

Function 0000018302039040 Relevance: 11.4, Strings: 9, Instructions: 162COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 000001830203908C, 00000183020390EB, 0000018302039149, 00000183020391C5, 0000018302039226, 0000018302039288
Specified HeapBase (%p) is free or not writable, xrefs: 00000183020392AB
Invalid CommitSize parameter - %Ix, xrefs: 000001830203910C
Specified HeapBase (%p) != to BaseAddress (%p), xrefs: 0000018302039249
0, xrefs: 000001830203918F
May not specify Lock parameter with HEAP_NO_SERIALIZE, xrefs: 0000018302039167
Invalid ReserveSize parameter - %Ix, xrefs: 00000183020390AD
HEAP: , xrefs: 000001830203909E, 00000183020390FD, 000001830203915B, 00000183020391DB, 0000018302039238, 000001830203929A
Specified HeapBase (%p) invalid, Status = %lx, xrefs: 00000183020391EA

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: 0$HEAP: $HEAP[%wZ]: $Invalid CommitSize parameter - %Ix$Invalid ReserveSize parameter - %Ix$May not specify Lock parameter with HEAP_NO_SERIALIZE$Specified HeapBase (%p) != to BaseAddress (%p)$Specified HeapBase (%p) invalid, Status = %lx$Specified HeapBase (%p) is free or not writable
API String ID: 0-3373917919
Opcode ID: 947cfd375f7ceede543748584a3deed02da43232229cb8ea454bd94c5ba5fa5c
Instruction ID: 7b9b032d91cf7aad3acd7773a59ebc6ad48be3948cb089858c1763c6e7903c12
Opcode Fuzzy Hash: 947cfd375f7ceede543748584a3deed02da43232229cb8ea454bd94c5ba5fa5c
Instruction Fuzzy Hash: 95813571204F4880FB16EB06D8847EA63A9F790F94F688102F92E877A5DF78C785C345

Function 0000018301F723F0 Relevance: 10.5, Strings: 8, Instructions: 454COMMON

Download Yara Rule

Strings

DLL "%wZ" does not contain an export table, xrefs: 0000018301FF3B4F
Procedure "%s" could not be located in DLL at base 0x%p., xrefs: 0000018301FF3C23
{, xrefs: 0000018301FF3B81
LdrpSnapModule, xrefs: 0000018301FF3B5E, 0000018301FF3BE1
minkernel\ntdll\ldrsnap.c, xrefs: 0000018301FF3B6A, 0000018301FF3BED, 0000018301FF3C41
Import '%s' of DLL '%wZ' is redirected to 0x%p, xrefs: 0000018301FF3BCF
LdrpNameToOrdinal, xrefs: 0000018301FF3C35
z, xrefs: 0000018301F72646

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: DLL "%wZ" does not contain an export table$Import '%s' of DLL '%wZ' is redirected to 0x%p$LdrpNameToOrdinal$LdrpSnapModule$Procedure "%s" could not be located in DLL at base 0x%p.$minkernel\ntdll\ldrsnap.c$z${
API String ID: 0-741447566
Opcode ID: edc2b2b38b2bcc77ad92f5d582d6108ef4a0421463b7e24690225b4cc8af9c46
Instruction ID: c9155626b0a6c6791bc192538ebbf5ac72931aa2024c472d2a085349712476d7
Opcode Fuzzy Hash: edc2b2b38b2bcc77ad92f5d582d6108ef4a0421463b7e24690225b4cc8af9c46
Instruction Fuzzy Hash: 4F129D72208B8482EB61CB16E4407DEB7A1F794F84F588216FEA947B99DF79C745CB00

Function 0000018301FC70FC Relevance: 10.0, Strings: 8, Instructions: 31COMMON

Download Yara Rule

Strings

\SyCHPE32\, xrefs: 000001830200A276
\SysWOW64\, xrefs: 0000018301FC7121
\System32\, xrefs: 0000018301FC713F
SyCHPE32, xrefs: 000001830200A26F
System32, xrefs: 0000018301FC7146
SysWOW64, xrefs: 0000018301FC711A
\SysARM32\, xrefs: 000001830200A289
SysARM32, xrefs: 000001830200A282

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: SyCHPE32$SysARM32$SysWOW64$System32$\SyCHPE32\$\SysARM32\$\SysWOW64\$\System32\
API String ID: 0-2516413534
Opcode ID: da4e23e9be57c4e1591652d72f844376a461ec93d203d529a4d47cd2735131f2
Instruction ID: 2c059560f1f129ee1c03d111b3892eee7b712dd6584c425d5265793dd78d3b38
Opcode Fuzzy Hash: da4e23e9be57c4e1591652d72f844376a461ec93d203d529a4d47cd2735131f2
Instruction Fuzzy Hash: A7014470B05F02E4FE6A9715E984BE96762A394F84FBCD112B438466F4DF28C74A9740

Function 00000183020203F0 Relevance: 8.9, Strings: 7, Instructions: 108COMMON

Download Yara Rule

Strings

SXS: Unabel to query location from storage root subkey %wZ; Status = 0x%08lx, xrefs: 00000183020204D6
SXS: Assembly storage root location for %wZ does not fit in a UNICODE STRING, xrefs: 0000018302020525
SXS: Unable to open storage root subkey %wZ; Status = 0x%08lx, xrefs: 0000018302020484
@, xrefs: 0000018302020466
SXS: Assembly storage root location value type is not REG_SZ, xrefs: 00000183020204E5
SXS: Assembly storage root location value has non-even size, xrefs: 0000018302020505
0, xrefs: 0000018302020459

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: 0$@$SXS: Assembly storage root location for %wZ does not fit in a UNICODE STRING$SXS: Assembly storage root location value has non-even size$SXS: Assembly storage root location value type is not REG_SZ$SXS: Unabel to query location from storage root subkey %wZ; Status = 0x%08lx$SXS: Unable to open storage root subkey %wZ; Status = 0x%08lx
API String ID: 0-1140364006
Opcode ID: b6e3ee317f567198a64da539bf2831eabf992205e716ad30bae65acc3e462dbb
Instruction ID: 1ebb943d17f45fef070f9ac1eda8f9cc6eb4b06361de4f244097cbe706bc5567
Opcode Fuzzy Hash: b6e3ee317f567198a64da539bf2831eabf992205e716ad30bae65acc3e462dbb
Instruction Fuzzy Hash: 93419F72604B4096F726CB60D4503EF73A5FB98B48F68C126FA6A47A95DF39C748CB40

Function 0000018301F7F2F4 Relevance: 7.7, Strings: 6, Instructions: 245COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrutil.c, xrefs: 0000018301FF6948, 0000018301FF6A06
Locating export "%wZ" for DLL "%wZ" failed with status: 0x%08lx., xrefs: 0000018301FF694F
Unknown, xrefs: 0000018301F7F339
LdrpReportError, xrefs: 0000018301FF693C, 0000018301FF69EE
#%d, xrefs: 0000018301FF6977
Locating export at ordinal %d for DLL "%wZ" failed with status: 0x%08lx., xrefs: 0000018301FF69E2

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: #%d$LdrpReportError$Locating export "%wZ" for DLL "%wZ" failed with status: 0x%08lx.$Locating export at ordinal %d for DLL "%wZ" failed with status: 0x%08lx.$Unknown$minkernel\ntdll\ldrutil.c
API String ID: 0-1905398271
Opcode ID: 00e2c80f50b1af3d3666e1618a0d9b2e654251eadecad015447a9e3e5608a550
Instruction ID: ef45a24565fb917a76053b0884f7aeafdd3dc49946aa18dc7a0e5d89321b8da7
Opcode Fuzzy Hash: 00e2c80f50b1af3d3666e1618a0d9b2e654251eadecad015447a9e3e5608a550
Instruction Fuzzy Hash: 4FA18F32604F4086FB21DB61E4803DE67A5F744B98F688219FEAA47BA9DF78C745C700

Function 0000018301F721C0 Relevance: 7.7, Strings: 6, Instructions: 208COMMON

Download Yara Rule

Strings

Loading procedure 0x%lx by ordinal, xrefs: 0000018301FF3A7D
Procedure "%s" could not be located in DLL at base 0x%p., xrefs: 0000018301FF3A3D
minkernel\ntdll\ldrsnap.c, xrefs: 0000018301FF3A21, 0000018301FF3A60, 0000018301FF3A9F
LdrpGetProcedureAddress, xrefs: 0000018301FF3A15, 0000018301FF3A93
LdrpNameToOrdinal, xrefs: 0000018301FF3A49
Locating procedure "%s" by name, xrefs: 0000018301FF39FE

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: LdrpGetProcedureAddress$LdrpNameToOrdinal$Loading procedure 0x%lx by ordinal$Locating procedure "%s" by name$Procedure "%s" could not be located in DLL at base 0x%p.$minkernel\ntdll\ldrsnap.c
API String ID: 0-1899888655
Opcode ID: ef9c593fa0ed28c1a3ea439c09608a47d71992b4b6e13df4206761f1777fa3b8
Instruction ID: e688694d6d0185825874c391c0bcde966f13e1012fe396a0f784a6fcb504f1f0
Opcode Fuzzy Hash: ef9c593fa0ed28c1a3ea439c09608a47d71992b4b6e13df4206761f1777fa3b8
Instruction Fuzzy Hash: F281E032214A9086E7A18B11E4447EE33A5F744F98F6DC225FEAA87B94DF39DB45C700

Function 0000018301F5D0FC Relevance: 7.7, Strings: 6, Instructions: 202COMMON

Download Yara Rule

Strings

SXS/RTL: Extended TOC entry array (starting at offset %ld; count = %lu; entry size = %u) is outside bounds of activation context data (%lu bytes), xrefs: 0000018301FEE8DD
SXS/RTL: Activation context data at %p too small; TotalSize = %lu; HeaderSize = %lu, xrefs: 0000018301FEE9BD
SXS/RTL: Extended TOC offset (%ld) is outside bounds of activation context data (%lu bytes), xrefs: 0000018301FEE8A4
SXS/RTL: Extended TOC section TOC %d (offset: %ld, size: %u) is outside activation context data bounds (%lu bytes), xrefs: 0000018301FEE966
SXS/RTL: TOC entry array (offset: %ld; count = %lu; entry size = %u) is outside bounds of activation context data (%lu bytes), xrefs: 0000018301FEE8F7
SXS/RTL: Section found (offset %ld; length %lu) extends past end of activation context data (%lu bytes), xrefs: 0000018301F5D256

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: SXS/RTL: Activation context data at %p too small; TotalSize = %lu; HeaderSize = %lu$SXS/RTL: Extended TOC entry array (starting at offset %ld; count = %lu; entry size = %u) is outside bounds of activation context data (%lu bytes)$SXS/RTL: Extended TOC offset (%ld) is outside bounds of activation context data (%lu bytes)$SXS/RTL: Extended TOC section TOC %d (offset: %ld, size: %u) is outside activation context data bounds (%lu bytes)$SXS/RTL: Section found (offset %ld; length %lu) extends past end of activation context data (%lu bytes)$SXS/RTL: TOC entry array (offset: %ld; count = %lu; entry size = %u) is outside bounds of activation context data (%lu bytes)
API String ID: 0-732641482
Opcode ID: 7e0468c429655be2f0dfeeac22348687e7988a5ba2a970a34264ce9152dc6ab5
Instruction ID: b934341cdb0358d7dd8d2d44bdb8b5111799a5d11c8eb9a15246dfe47f1358b9
Opcode Fuzzy Hash: 7e0468c429655be2f0dfeeac22348687e7988a5ba2a970a34264ce9152dc6ab5
Instruction Fuzzy Hash: 7A81CD72302E408AEB64CB85A440BED7791F795F94F58C229BA2A47B95DF35CB46CB00

Function 0000018302038B30 Relevance: 7.7, Strings: 6, Instructions: 195COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 0000018302038D0D, 0000018302038DAF, 0000018302038E19
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 0000018302038DE4
RtlAllocateHeap, xrefs: 0000018302038B7E
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 0000018302038E3D
Just allocated block at %p for %Ix bytes, xrefs: 0000018302038D36
HEAP: , xrefs: 0000018302038D20, 0000018302038DBD, 0000018302038E27

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: db7a4cce5cde4fd5bbe6e9c1f3e28e8e8289ca2e72809ef67ffd2e41936dd0d4
Instruction ID: 80b7b6194a8892ddd72764b9ef3336d9bee29eeef4aeff128cc830ca664998cd
Opcode Fuzzy Hash: db7a4cce5cde4fd5bbe6e9c1f3e28e8e8289ca2e72809ef67ffd2e41936dd0d4
Instruction Fuzzy Hash: C5918E32205B8082EB16DB26D4807E9A7A5FB84F94F6CC152FAA9473A6DF38C751C704

Function 000001830200BB94 Relevance: 7.6, Strings: 6, Instructions: 135COMMON

Download Yara Rule

Strings

AppxStateChange, xrefs: 000001830200BBF6
\PackageList\, xrefs: 000001830200BC58
\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\AppModel\StateChange, xrefs: 000001830200BBCF
TargetNtPath, xrefs: 000001830200BBEC
@, xrefs: 000001830200BD71
0, xrefs: 000001830200BD54

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: 0$@$AppxStateChange$TargetNtPath$\PackageList\$\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\AppModel\StateChange
API String ID: 0-286041519
Opcode ID: a96deac849a5b1dc76c5f8c5ceb054a7690bb2a7dd8179807eedd155316d668f
Instruction ID: 3cd2d38efec0328d77725b22f0f1a60f3fb953775f627e75363e02f040e7365e
Opcode Fuzzy Hash: a96deac849a5b1dc76c5f8c5ceb054a7690bb2a7dd8179807eedd155316d668f
Instruction Fuzzy Hash: 2951C232714B8186F7119B24E4903EEB760FB84B88F648226FA9947B58EF39C742C700

Function 0000018301FB1EB0 Relevance: 7.6, Strings: 6, Instructions: 105COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0000018302001369
RtlGetAssemblyStorageRoot, xrefs: 000001830200131C, 000001830200135C, 0000018302001388
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 0000018302001394
SXS: %s() passed the empty activation context, xrefs: 0000018302001323
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 0000018302001334
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 000001830200133D

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 33e3b94073d01a40bc4d3407a18074b32dc67850bc2eb62f4803571db5bef160
Instruction ID: 57bc89b8896fcda18ec141d0b7f2f0cdea45a01f2562832d9fe04442a5cf4399
Opcode Fuzzy Hash: 33e3b94073d01a40bc4d3407a18074b32dc67850bc2eb62f4803571db5bef160
Instruction Fuzzy Hash: 35412D72A08F4582EA21CB15E4807DEB7A1F798F84F588216FA6C47BA5DF38C755C740

Function 0000018301FCA1F0 Relevance: 7.6, Strings: 6, Instructions: 104COMMON

Download Yara Rule

Strings

ServerNt, xrefs: 0000018301FCA260
ProductType, xrefs: 0000018301FCA235
WinNt, xrefs: 0000018301FCA277
LanmanNt, xrefs: 0000018301FCA24B
\Registry\Machine\System\CurrentControlSet\Control\ProductOptions, xrefs: 0000018301FCA21E
$, xrefs: 0000018301FCA2D1

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: $$LanmanNt$ProductType$ServerNt$WinNt$\Registry\Machine\System\CurrentControlSet\Control\ProductOptions
API String ID: 0-710184338
Opcode ID: 5cb4ee27a8377318e880d1b89495136bc51895d946e74c90e5bc25a29f23765c
Instruction ID: 968b9ee16b09ac703be463e0547ed853860e7b434b76509ebbedc291faaa26be
Opcode Fuzzy Hash: 5cb4ee27a8377318e880d1b89495136bc51895d946e74c90e5bc25a29f23765c
Instruction Fuzzy Hash: 4151F232B04B049AEB11DFA0D1943DC33B5E708B48F648216EA6C67B49EFB5C31AC780

Function 0000018301F550E0 Relevance: 7.6, Strings: 6, Instructions: 92COMMON

Download Yara Rule

Strings

0, xrefs: 0000018301F55125
minkernel\ntdll\ldrmap.c, xrefs: 0000018301FED167, 0000018301FED1A9
DLL name: %wZ, xrefs: 0000018301FED144
@, xrefs: 0000018301F5513C
Status: 0x%08lx, xrefs: 0000018301FED187
LdrpFindKnownDll, xrefs: 0000018301FED15B, 0000018301FED19D

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: 0$@$DLL name: %wZ$LdrpFindKnownDll$Status: 0x%08lx$minkernel\ntdll\ldrmap.c
API String ID: 0-2787620482
Opcode ID: c38ac47651f8814fb69e07abf3ae537b549b41deedadfac1fdaabec3a8f8ddfd
Instruction ID: d84fe5b360d2d158df59c63d917d32c85f07a9cb2d044ca50f3c54d127cd758a
Opcode Fuzzy Hash: c38ac47651f8814fb69e07abf3ae537b549b41deedadfac1fdaabec3a8f8ddfd
Instruction Fuzzy Hash: CB416A71205B4086F7219B12A4407DD77A5F799F84F68C222FAA943BA5DF38C745C740

Function 0000018301FAA438 Relevance: 6.5, Strings: 5, Instructions: 211COMMON

Download Yara Rule

Strings

LdrpProcessDetachNode, xrefs: 0000018301FFFCBD
Uninitializing DLL "%wZ" (Init routine: %p), xrefs: 0000018301FFFCAB
minkernel\ntdll\ldrsnap.c, xrefs: 0000018301FFFC6A, 0000018301FFFCC9
LdrpUnloadNode, xrefs: 0000018301FFFC57
Unmapping DLL "%wZ", xrefs: 0000018301FFFC5E

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: LdrpProcessDetachNode$LdrpUnloadNode$Uninitializing DLL "%wZ" (Init routine: %p)$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
API String ID: 0-4123602842
Opcode ID: 40666b59cd3df9e5e371144b5ceaf536ac83556479ddc557c3b7eb5a8f45149d
Instruction ID: 7d3fd5d358c828d387c164d4b7e5db2066d667c28775e479582150b476227d4f
Opcode Fuzzy Hash: 40666b59cd3df9e5e371144b5ceaf536ac83556479ddc557c3b7eb5a8f45149d
Instruction Fuzzy Hash: 5E9149B2201F448AEB51DF25E4543ED23A4E784F98F9CC225EA69077A5DF78CB99C340

Function 0000018301FC1C90 Relevance: 6.5, Strings: 5, Instructions: 209COMMON

Download Yara Rule

Strings

SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx, xrefs: 0000018302008B83
@, xrefs: 0000018301FC1E47
SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx, xrefs: 0000018302008B66
SXS: Unable to open registry key %wZ Status = 0x%08lx, xrefs: 0000018302008C0E
0, xrefs: 0000018301FC1E26

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: 0$@$SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx$SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx$SXS: Unable to open registry key %wZ Status = 0x%08lx
API String ID: 0-422673150
Opcode ID: a800af1c559c3f006f4642a1289b9edd3837513a5f0a9308c6f57210ac60473f
Instruction ID: 6df98913ffa7573e11aef3a5f7535159d91e3d2a5013805acf4d7ecfe12eb0a4
Opcode Fuzzy Hash: a800af1c559c3f006f4642a1289b9edd3837513a5f0a9308c6f57210ac60473f
Instruction Fuzzy Hash: ABA1ACB2608B8186F721AF25D1503EE77A4F744F44F288211EE6947B96DF39C7A4CB80

Function 0000018301FAC064 Relevance: 6.4, Strings: 5, Instructions: 161COMMON

Download Yara Rule

Strings

LdrpInitializeNode, xrefs: 00000183020000C1, 0000018302000105
H, xrefs: 0000018301FAC1A0
minkernel\ntdll\ldrsnap.c, xrefs: 00000183020000CD, 0000018302000111
Calling init routine %p for DLL "%wZ", xrefs: 00000183020000AF
Init routine %p for DLL "%wZ" failed during DLL_PROCESS_ATTACH, xrefs: 00000183020000F6

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: Calling init routine %p for DLL "%wZ"$H$Init routine %p for DLL "%wZ" failed during DLL_PROCESS_ATTACH$LdrpInitializeNode$minkernel\ntdll\ldrsnap.c
API String ID: 0-2227858126
Opcode ID: ff2c51dab56a306a92e0d16e95e7ca09da1d7610a2ea416d06f29500dc86734d
Instruction ID: 4e69ae0c1285b2c58a75b60fc54b5809a7a4d8f74e1ae4a7e715af15a95a8537
Opcode Fuzzy Hash: ff2c51dab56a306a92e0d16e95e7ca09da1d7610a2ea416d06f29500dc86734d
Instruction Fuzzy Hash: 4F816D72204B8085E761CF14E8407DA77A4F785F98FA88216EAAD53BA9DF3DC794C740

Function 000001830203953C Relevance: 6.4, Strings: 5, Instructions: 158COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 0000018302039636, 000001830203972D
RtlFreeHeap, xrefs: 0000018302039584, 00000183020395F2
About to free block at %p with tag %ws, xrefs: 000001830203975A
HEAP: , xrefs: 0000018302039644, 000001830203973B
About to free block at %p, xrefs: 0000018302039657

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
API String ID: 0-3492000579
Opcode ID: f75b609c18c85abc0291d5f05f28ce149412a4e9afc7884bd1479219e3071896
Instruction ID: cbe28800d63fd894eb441485254580d748a930cf43f9e537e3b6bd628c0c70bc
Opcode Fuzzy Hash: f75b609c18c85abc0291d5f05f28ce149412a4e9afc7884bd1479219e3071896
Instruction Fuzzy Hash: DF61B272204B8486FB16DF26E4407EA6BA5F785F80F6CC011FAAA473A6DF68C741C704

Function 0000018302043AD0 Relevance: 6.4, Strings: 5, Instructions: 143COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0000018302043BD7
Control Panel\Desktop, xrefs: 0000018302043B28
MachinePreferredUILanguages, xrefs: 0000018302043B8B
PreferredUILanguages, xrefs: 0000018302043C2B
Control Panel\Desktop\MuiCached, xrefs: 0000018302043B41

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-4270026425
Opcode ID: 0769309f3efd5c4dbd975c89418bf32535f57537865584b319054a166206ada1
Instruction ID: e0d39db52e7ed1fd51ea110b73bc8f32212967acab3096f5ea0974e72ae34b19
Opcode Fuzzy Hash: 0769309f3efd5c4dbd975c89418bf32535f57537865584b319054a166206ada1
Instruction Fuzzy Hash: B8615972701B01A9FB11AFB5D4903ED23A0E748B4CF689666AA1C57B99EF74C749C380

Function 0000018302010940 Relevance: 6.4, Strings: 5, Instructions: 127COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 0000018302010A65, 0000018302010AD2
apphelp.dll, xrefs: 0000018302010975
LdrpGetProcApphelpCheckModule, xrefs: 0000018302010A4A, 0000018302010AC6
Loading the shim user DLL "%wZ" failed with status 0x%08lx, xrefs: 0000018302010A51
Getting the shim user exports failed with status 0x%08lx, xrefs: 0000018302010AB3

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: Getting the shim user exports failed with status 0x%08lx$LdrpGetProcApphelpCheckModule$Loading the shim user DLL "%wZ" failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-2433441700
Opcode ID: a960f1a0d39bd8010510a1364d0a2e680b63e724e132c16bacfe38015742f303
Instruction ID: 2c050c6b0831103eca059ebf014c3f012610187269de4938d7fcaf331cc6730d
Opcode Fuzzy Hash: a960f1a0d39bd8010510a1364d0a2e680b63e724e132c16bacfe38015742f303
Instruction Fuzzy Hash: 6C519332304B4086E711CF19E8907DA73A1F788B84FA88125FA9D87B65DF39D745C700

Function 0000018301FC2E0C Relevance: 6.4, Strings: 5, Instructions: 104COMMON

Download Yara Rule

Strings

Querying large page info failed with status 0x%08lx, xrefs: 00000183020093AA
LdrpProtectAndRelocateImage, xrefs: 00000183020093B9, 000001830200941B, 0000018302009457
Changing the protection of the executable at %p failed with status 0x%08lx, xrefs: 000001830200940C
Status: 0x%08lx, xrefs: 0000018302009445
minkernel\ntdll\ldrfind.c, xrefs: 00000183020093C5, 0000018302009422, 0000018302009463

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: Changing the protection of the executable at %p failed with status 0x%08lx$LdrpProtectAndRelocateImage$Querying large page info failed with status 0x%08lx$Status: 0x%08lx$minkernel\ntdll\ldrfind.c
API String ID: 0-3846273245
Opcode ID: abcae3a8a8489f1fadcbe02b3f265b1c3f2b21eb6c14adac2405167a411eb1b6
Instruction ID: 8b7d6838ab54f4a17cdb2ad196c345e2265a163c75e542ffd9052e33a9590977
Opcode Fuzzy Hash: abcae3a8a8489f1fadcbe02b3f265b1c3f2b21eb6c14adac2405167a411eb1b6
Instruction Fuzzy Hash: 53419F32604B8446F7229B54AA803DA2790E794F58F6CC215FEB953BE1DF38CB85DB10

Function 0000018301F4E1C0 Relevance: 6.3, Strings: 5, Instructions: 89COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 0000018301FEA969, 0000018301FEA9B1
VirtualProtect Failed 0x%p %x, xrefs: 0000018301FEA987
VirtualQuery Failed 0x%p %x, xrefs: 0000018301FEA9CF
0, xrefs: 0000018301F4E20C
HEAP: , xrefs: 0000018301FEA97B, 0000018301FEA9C3

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: 0$HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-2326531815
Opcode ID: 76b190f4b2124d594a27fa568aa3616332a0d20b4b6db89f8748376757f24071
Instruction ID: e5767c0064c8e09e76e99bd493661bfdb6057b8e9ed7679f0a068ab38f043317
Opcode Fuzzy Hash: 76b190f4b2124d594a27fa568aa3616332a0d20b4b6db89f8748376757f24071
Instruction Fuzzy Hash: 70411936204E8481EB219B19E8503DE63A5F795BA4F588212FABE437E5DF38C785D700

Function 0000018301FC2924 Relevance: 6.3, Strings: 5, Instructions: 86COMMON

Download Yara Rule

Strings

minkernel\ntdll\sxsisol.cpp, xrefs: 0000018302009193, 00000183020091CC
Internal error check failed, xrefs: 000001830200919A, 00000183020091D3
(This->PrivateDynamicallyAllocatedString == NULL) || (This->PrivateDynamicallyAllocatedString->Buffer == NULL), xrefs: 00000183020091B0
This != NULL, xrefs: 0000018302009186
rUS.Length <= This->PrivatePreallocatedString->MaximumLength, xrefs: 00000183020091BF

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: (This->PrivateDynamicallyAllocatedString == NULL) || (This->PrivateDynamicallyAllocatedString->Buffer == NULL)$Internal error check failed$This != NULL$minkernel\ntdll\sxsisol.cpp$rUS.Length <= This->PrivatePreallocatedString->MaximumLength
API String ID: 0-3589341846
Opcode ID: 07bbbf50b21f4078d9dd3934d7a2a66823b1323a23a329915a539fc90939d452
Instruction ID: 981f80b49328000413e10bc9b0ccdcc32d40d7c3643cf78a701ba02b0ef98489
Opcode Fuzzy Hash: 07bbbf50b21f4078d9dd3934d7a2a66823b1323a23a329915a539fc90939d452
Instruction Fuzzy Hash: 64414A31602F4491FB11CB06E5903ED6360FB59F84FA8C612AA6E43B91DF24CBA1E300

Function 0000018301FC2D2C Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrmap.c, xrefs: 000001830200932B, 0000018302009379
DLL name: %wZ, xrefs: 0000018302009308
Status: 0x%08lx, xrefs: 0000018302009357
LdrpRelocateImage, xrefs: 000001830200931F, 000001830200936D
H, xrefs: 000001830200933D

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$H$LdrpRelocateImage$Status: 0x%08lx$minkernel\ntdll\ldrmap.c
API String ID: 0-1580685039
Opcode ID: 688fafef5006efe96c6f2117a16b57247b5e09a7b4bf809afbeb823443735ae6
Instruction ID: ebb95c12b12d688567639df7b3c314eb56537970cc2f2025f5f1afd6d7e9295d
Opcode Fuzzy Hash: 688fafef5006efe96c6f2117a16b57247b5e09a7b4bf809afbeb823443735ae6
Instruction Fuzzy Hash: 30317031208F8186FB51DB11A5907EE7794F794B84F588225FEAA43BA5DF3CC7459B00

Function 0000018301F9FEF0 Relevance: 6.3, Strings: 5, Instructions: 81COMMON

Download Yara Rule

Strings

Packaged DLL search path computed. Package Dirs: %ws, DllPath: %ws, xrefs: 0000018301FFD926
minkernel\ntdll\ldrutil.c, xrefs: 0000018301FFD8B8, 0000018301FFD8E5, 0000018301FFD91F
Lazy DLL search path computation failed with status: 0x%08lx., xrefs: 0000018301FFD8A4
DLL search path computed: %ws, xrefs: 0000018301FFD8DE
LdrpComputeLazyDllPath, xrefs: 0000018301FFD89D, 0000018301FFD8F7, 0000018301FFD913

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: DLL search path computed: %ws$Lazy DLL search path computation failed with status: 0x%08lx.$LdrpComputeLazyDllPath$Packaged DLL search path computed. Package Dirs: %ws, DllPath: %ws$minkernel\ntdll\ldrutil.c
API String ID: 0-358238182
Opcode ID: d9b9bb1a86f2b326fe48d432a11851cd4063c43b2f81e9aceef26b2c73665142
Instruction ID: 888d1cfc6cc6a99061e81ea926363c34d5600baf57dbb2ba25cd5ccadb245b84
Opcode Fuzzy Hash: d9b9bb1a86f2b326fe48d432a11851cd4063c43b2f81e9aceef26b2c73665142
Instruction Fuzzy Hash: 2D415B31204F4592EB22DB50F8507DA77A4F788B48F588216FAAD47BA9DF78C749C740

Function 0000018301F9EDAC Relevance: 5.4, Strings: 4, Instructions: 356COMMON

Download Yara Rule

Strings

LdrpSearchPath, xrefs: 0000018301FFD1A0, 0000018301FFD3A9
DLL name: %wZ, xrefs: 0000018301FFD187
Status: 0x%08lx, xrefs: 0000018301FFD393
minkernel\ntdll\ldrfind.c, xrefs: 0000018301FFD18E, 0000018301FFD3B5

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$LdrpSearchPath$Status: 0x%08lx$minkernel\ntdll\ldrfind.c
API String ID: 0-4206496468
Opcode ID: 9521b5448327fa9aa51273bcdda7400f331b41bbb73bf5b1fbfd95ad9a669724
Instruction ID: b04a70d75791dc2fb2ef2e70fa3644308f19a6f200bc7b7c4e6c2b06ac84e00e
Opcode Fuzzy Hash: 9521b5448327fa9aa51273bcdda7400f331b41bbb73bf5b1fbfd95ad9a669724
Instruction Fuzzy Hash: 50E19736705F5085EB61EB6AD4407EE27A1EB44F88F598216FEA987795EF38C742C300

Function 0000018301FA1EFC Relevance: 5.3, Strings: 4, Instructions: 303COMMON

Download Yara Rule

Strings

!!! Detour detected, disable parallel loading, xrefs: 0000018301FFE5FF
minkernel\ntdll\ldrmap.c, xrefs: 0000018301FFE5D9, 0000018301FFE61D
NtSetInformationProcess: ProcessLoaderDetour failed with status 0x%08lx, xrefs: 0000018301FFE5C5
LdrpDetectDetour, xrefs: 0000018301FFE5BE, 0000018301FFE60C

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: !!! Detour detected, disable parallel loading$LdrpDetectDetour$NtSetInformationProcess: ProcessLoaderDetour failed with status 0x%08lx$minkernel\ntdll\ldrmap.c
API String ID: 0-3708324991
Opcode ID: ae717ded8387fdbd4eb0d12df3b62de6b6b24d41631abd93f2f0a7e75e4e86df
Instruction ID: d203d6b145a9ee48af821f97befd781c42df6bf8621ba6fb7e060328e1f474b3
Opcode Fuzzy Hash: ae717ded8387fdbd4eb0d12df3b62de6b6b24d41631abd93f2f0a7e75e4e86df
Instruction Fuzzy Hash: 8DD169B6214B8486EB51CF29E8803ED27A1F758F88F99C216EA6D037A5DF38C745C740

Function 0000018301FAE548 Relevance: 5.3, Strings: 4, Instructions: 281COMMON

Download Yara Rule

Strings

Merging a cycle rooted at %wZ., xrefs: 0000018302000387
Adding cyclic module %wZ., xrefs: 00000183020003B6
LdrpMergeNodes, xrefs: 000001830200036D, 00000183020003AF
minkernel\ntdll\ldrddag.c, xrefs: 0000018302000378, 00000183020003C2

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: Adding cyclic module %wZ.$LdrpMergeNodes$Merging a cycle rooted at %wZ.$minkernel\ntdll\ldrddag.c
API String ID: 0-1720079891
Opcode ID: 043020c5b29d29c751ca38547acac88a07ad1949baef2c20ebfd93bac03d0e8e
Instruction ID: 30e82d44aa806e9621af4e7524497c6da2996d5f70d02ee2c43e59fa3ecca730
Opcode Fuzzy Hash: 043020c5b29d29c751ca38547acac88a07ad1949baef2c20ebfd93bac03d0e8e
Instruction Fuzzy Hash: CEC105B2211F4481EA61CF56E5803AC33A5F354F84FA8C626EA6D57795EF38CBA1C340

Function 0000018301F54C38 Relevance: 5.2, Strings: 4, Instructions: 187COMMON

Download Yara Rule

Strings

LdrpMinimalMapModule, xrefs: 0000018301FECF67, 0000018301FECFFF
minkernel\ntdll\ldrmap.c, xrefs: 0000018301FECF7A, 0000018301FED00B
DLL name: %wZ, xrefs: 0000018301FECF6E
Status: 0x%08lx, xrefs: 0000018301FECFE9

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$LdrpMinimalMapModule$Status: 0x%08lx$minkernel\ntdll\ldrmap.c
API String ID: 0-1759440706
Opcode ID: cad6c87835dba6ff70b3f669fddd3a10ec9eb5783d6a23acae571d114d4a5590
Instruction ID: 9b75e76fa3692819f5020cf67d02226b8b80f9014cd624f1c56b625555e8ba93
Opcode Fuzzy Hash: cad6c87835dba6ff70b3f669fddd3a10ec9eb5783d6a23acae571d114d4a5590
Instruction Fuzzy Hash: 1E817C32204F4096EB658F25E8907ED27A4F748B98F588316FE6947B99EF38C785C700

Function 0000018301FA5A30 Relevance: 5.2, Strings: 4, Instructions: 185COMMON

Download Yara Rule

Strings

::%hs%u.%u.%u.%u, xrefs: 0000018301FFF226
::ffff:0:%u.%u.%u.%u, xrefs: 0000018301FFF238
ffff:, xrefs: 0000018301FFF1E9
:%u.%u.%u.%u, xrefs: 0000018301FFF2B8

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 0-2108815105
Opcode ID: 69b2b847c13de5a79021b069f541dbfe07352da928340f1296ce0f8f47384177
Instruction ID: b2fd742b05539f60443137966b4476c16ab670ccf0d5086df2671ce350578fbf
Opcode Fuzzy Hash: 69b2b847c13de5a79021b069f541dbfe07352da928340f1296ce0f8f47384177
Instruction Fuzzy Hash: 7A7105B6704AD046D7249B64D4502EEB7A1F700F88F9CC216FA655BBA8DF3CCB468740

Function 00000183020200A8 Relevance: 5.2, Strings: 4, Instructions: 175COMMON

Download Yara Rule

Strings

RtlpQueryFilesInAssemblyInformationActivationContextDetailedInformation, xrefs: 00000183020200FD, 0000018302020196
SXS: %s() received invalid file index (%u, max is %u) in Assembly (%u), xrefs: 00000183020201AC
SXS: %s() received invalid sub-instance index %lu out of %lu Assemblies in the Acitvation Context, xrefs: 000001830202010B
h, xrefs: 000001830202015E

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: RtlpQueryFilesInAssemblyInformationActivationContextDetailedInformation$SXS: %s() received invalid file index (%u, max is %u) in Assembly (%u)$SXS: %s() received invalid sub-instance index %lu out of %lu Assemblies in the Acitvation Context$h
API String ID: 0-4074404755
Opcode ID: 8da84731218229204a8cd93361a097d34f9adb4f4710e96a52fe3ad721e40135
Instruction ID: 46a8d1aa800444a4b856735baeabf3b1271fedc21ade3fd491ee7eec401b9d4d
Opcode Fuzzy Hash: 8da84731218229204a8cd93361a097d34f9adb4f4710e96a52fe3ad721e40135
Instruction Fuzzy Hash: 7A719E32611B518BE721CF05E484BDD77A6F794B48F29C12AEB6943B44CB34DB99CB00

Function 0000018302059D38 Relevance: 5.2, Strings: 4, Instructions: 174COMMON

Download Yara Rule

Strings

\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0000018302059E31
GlobalizationUserSettings, xrefs: 0000018302059E53
0, xrefs: 0000018302059F12
TargetNtPath, xrefs: 0000018302059E4C

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: 0$GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-1436388672
Opcode ID: d33c5f0c9c5f5a4987733f3c1e8ced11be68c1c884f1e330a1b86ba90eb9f337
Instruction ID: c4388678529dda03bf5d2bec744aaa84395aff81c55c89a88391348d7bbb0699
Opcode Fuzzy Hash: d33c5f0c9c5f5a4987733f3c1e8ced11be68c1c884f1e330a1b86ba90eb9f337
Instruction Fuzzy Hash: CF71AC72310B558AFB018B22E8903DAB7A1F789B84F688121EF6957755EF39C745CB80

Function 0000018301F5FA14 Relevance: 5.2, Strings: 4, Instructions: 166COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrapi.c, xrefs: 0000018301FEFF15, 0000018301FEFF4B
DLL name: %wZ, xrefs: 0000018301FEFEF7
Status: 0x%08lx, xrefs: 0000018301FEFF2D
LdrpLoadDllInternal, xrefs: 0000018301FEFF09, 0000018301FEFF3F

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$LdrpLoadDllInternal$Status: 0x%08lx$minkernel\ntdll\ldrapi.c
API String ID: 0-3213092628
Opcode ID: 7701d67c5a0153aea717840d74723d4ca3db6ca73d76337b96434bc3384c4ad8
Instruction ID: a6a0713ecb75676a97e7f460b03df7e18c66945366a0331bf20dddbe014a40f9
Opcode Fuzzy Hash: 7701d67c5a0153aea717840d74723d4ca3db6ca73d76337b96434bc3384c4ad8
Instruction Fuzzy Hash: 5D714932204F8085EB209B15E4543DE77A4E789F94F6D8261EFA987BAADF38C741C701

Function 0000018301F9F0B4 Relevance: 5.1, Strings: 4, Instructions: 129COMMON

Download Yara Rule

Strings

LdrpResolveDllName, xrefs: 0000018301FFD3DF, 0000018301FFD413
DLL name: %wZ, xrefs: 0000018301FFD3C8
Status: 0x%08lx, xrefs: 0000018301FFD3FD
minkernel\ntdll\ldrfind.c, xrefs: 0000018301FFD3EB, 0000018301FFD41F

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$LdrpResolveDllName$Status: 0x%08lx$minkernel\ntdll\ldrfind.c
API String ID: 0-992240436
Opcode ID: 26857c727e17897b218fd984172aadc402c5d00fc10a5a9914687e2eefea5e38
Instruction ID: 6daace1192f07cf8db7ab58dee070b84172a94998d1ee6c4f29dcd2d779a2945
Opcode Fuzzy Hash: 26857c727e17897b218fd984172aadc402c5d00fc10a5a9914687e2eefea5e38
Instruction Fuzzy Hash: 9C518072A14F8085EB21AB11E4403DE6BA0F799F84F58C212FEA987795EF78D7908740

Function 0000018301FC0E04 Relevance: 5.1, Strings: 4, Instructions: 120COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrdload.c, xrefs: 0000018302008446
Unknown, xrefs: 0000018302008413
Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx, xrefs: 000001830200842B
LdrpRedirectDelayloadFailure, xrefs: 000001830200841F

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
API String ID: 0-3349709885
Opcode ID: a4fac57d8a51f6061942cf3ca09f93880188e8318465e8a61b298fb83938f65a
Instruction ID: 75753a300440e52139a9e2facb1daf464a44ae4cc1ec9cd13f9189380fbf10fd
Opcode Fuzzy Hash: a4fac57d8a51f6061942cf3ca09f93880188e8318465e8a61b298fb83938f65a
Instruction Fuzzy Hash: C3517836705B44CAFB628F65A5407DD27A0F358B98F688125EE6917B98DF38C70ADB00

Function 0000018301F50380 Relevance: 5.1, Strings: 4, Instructions: 118COMMON

Download Yara Rule

Strings

LdrResolveDelayLoadedAPI, xrefs: 0000018301F504B0, 0000018301FEB210
minkernel\ntdll\ldrdload.c, xrefs: 0000018301F504BC, 0000018301FEB21C
LdrResolveDelayLoadedAPI:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 0000018301F504A1
LdrResolveDelayLoadedAPI:Unable to locate DLL based at 0x%p.Status = 0x%x, xrefs: 0000018301FEB201

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: LdrResolveDelayLoadedAPI$LdrResolveDelayLoadedAPI:Unable to locate DLL based at 0x%p.Status = 0x%x$LdrResolveDelayLoadedAPI:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrdload.c
API String ID: 0-1756274442
Opcode ID: b88ea02462bc025a573015ed81a13cfde089274e7014f0a0105a807ed334faa3
Instruction ID: dddbe06712967a627b37cc4a299ca553b112274f6b67e2b89d042d2e27da0c9a
Opcode Fuzzy Hash: b88ea02462bc025a573015ed81a13cfde089274e7014f0a0105a807ed334faa3
Instruction Fuzzy Hash: CB414D32214B8046EB65DB15E8407DE77A4F784B84F5C8225FEA957BA9DF38C745CB00

Function 000001830203AD44 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 000001830203AE0E, 000001830203AEA9
This is located in the %s field of the heap header., xrefs: 000001830203AED2
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 000001830203AE40
HEAP: , xrefs: 000001830203AE20, 000001830203AEC3

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-336120773
Opcode ID: b71e40a072b7d5a7c1989120eb19d234d11030740bf8de39266d4688e4bbd9ab
Instruction ID: 182c0ecf652ee8953051319c96baddfb30b16a0fcbe79409bd29cf5e1cb6d15c
Opcode Fuzzy Hash: b71e40a072b7d5a7c1989120eb19d234d11030740bf8de39266d4688e4bbd9ab
Instruction Fuzzy Hash: 0F414871300B4482EB11DB15E444BEAB3A5F794F94F688222FAAA477A5DF39C744C344

Function 0000018301F54E80 Relevance: 5.1, Strings: 4, Instructions: 102COMMON

Download Yara Rule

Strings

LdrpFindDllActivationContext, xrefs: 0000018301FED072, 0000018301FED0B8
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0000018301FED079
Querying the active activation context failed with status 0x%08lx, xrefs: 0000018301FED0A5
minkernel\ntdll\ldrsnap.c, xrefs: 0000018301FED085, 0000018301FED0C4

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: b3db1ada55566f29ce300c7f8a56d9bc3a74de6439a0c7eb5736e49b28f733de
Instruction ID: c298d3de75a58e9302987d8aaaed1cda572e76d4cabb079109f541fd66b26a37
Opcode Fuzzy Hash: b3db1ada55566f29ce300c7f8a56d9bc3a74de6439a0c7eb5736e49b28f733de
Instruction Fuzzy Hash: FF414D31608B4492FB618B45A4887DDA7E4B344F98F5CC216FB6903B98EF78CBD59700

Function 0000018301F568A0 Relevance: 5.1, Strings: 4, Instructions: 102COMMON

Download Yara Rule

Strings

LdrGetDllHandleEx, xrefs: 0000018301FED63F, 0000018301FED6AA
minkernel\ntdll\ldrapi.c, xrefs: 0000018301FED64B, 0000018301FED6B6
DLL name: %wZ, xrefs: 0000018301FED628
Status: 0x%08lx, xrefs: 0000018301FED694

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$LdrGetDllHandleEx$Status: 0x%08lx$minkernel\ntdll\ldrapi.c
API String ID: 0-4104331901
Opcode ID: 23e170ce7bbda4a7a7276296c09a79c9220fc18554abaeafb2c52238f161871f
Instruction ID: 9a674488e12450e7ef3f1006d476d5d343d91f78a1e0556d2d94dce17a06745b
Opcode Fuzzy Hash: 23e170ce7bbda4a7a7276296c09a79c9220fc18554abaeafb2c52238f161871f
Instruction Fuzzy Hash: 7341A171218F8485FB219B11A4507EE67A0E799F94FAC8212FE7E87799DF38C7418B00

Function 0000018301F8D1E4 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

!, xrefs: 0000018301F8D2BF
0, xrefs: 0000018301F8D27E
\??\, xrefs: 0000018301F8D239
@, xrefs: 0000018301F8D2A4

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: !$0$@$\??\
API String ID: 0-2378251065
Opcode ID: d11d007897973202912b86bbf632058817eb397bdfa4d5d6bba43af5ccce839b
Instruction ID: 2619e68fe536476945cf9700f9ae8658a3cb2b75c1b43fe5d6d19637d3def92e
Opcode Fuzzy Hash: d11d007897973202912b86bbf632058817eb397bdfa4d5d6bba43af5ccce839b
Instruction Fuzzy Hash: 02418C72614B8086E700DFA0E4842CEB7B5FB88B84F549216FB8D47B98EF78C245CB40

Function 0000018301FAA914 Relevance: 5.1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

Strings

LdrpProcessDetachNode, xrefs: 0000018301FFFCBD
Uninitializing DLL "%wZ" (Init routine: %p), xrefs: 0000018301FFFCAB
minkernel\ntdll\ldrsnap.c, xrefs: 0000018301FFFCC9
H, xrefs: 0000018301FAA9B3

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: H$LdrpProcessDetachNode$Uninitializing DLL "%wZ" (Init routine: %p)$minkernel\ntdll\ldrsnap.c
API String ID: 0-2965656906
Opcode ID: 4f614e716af26858b3d6e8abb1bca9cdb51dfeb918870fced8501e769bfe331b
Instruction ID: 8feafbd8edf3d9d5d83042eb8aa570bfa2dba794d55bd09a4eb7b1f3ebaa1c84
Opcode Fuzzy Hash: 4f614e716af26858b3d6e8abb1bca9cdb51dfeb918870fced8501e769bfe331b
Instruction Fuzzy Hash: C5415D72215F8081E760CF11E5503AE73A4F788F84F99D225EA9943B99EF78C799C740

Function 0000018302039478 Relevance: 5.0, Strings: 4, Instructions: 44COMMON

Download Yara Rule

Strings

RtlDestroyHeap, xrefs: 00000183020394E7
HEAP[%wZ]: , xrefs: 00000183020394A9
May not destroy the process heap at %p, xrefs: 00000183020394D2
HEAP: , xrefs: 00000183020394C3

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $May not destroy the process heap at %p$RtlDestroyHeap
API String ID: 0-4256168463
Opcode ID: 2dc8ca39f5b21cb1f58b5cfceb1e46fa347bda9bd1d3e3d9118ebff7a581c0db
Instruction ID: bcd2c3f42e347b28e203c3b7445713d6efffcfb16520e4fe6195610788194935
Opcode Fuzzy Hash: 2dc8ca39f5b21cb1f58b5cfceb1e46fa347bda9bd1d3e3d9118ebff7a581c0db
Instruction Fuzzy Hash: AA117C72614B0882FF52EB16D480BD92365B794F94F6CD012F92D473A6DFA8C784C310

Function 0000018301F9E510 Relevance: 5.0, Strings: 4, Instructions: 37COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 0000018301FFD085
Invalid heap signature for heap at %p, xrefs: 0000018301FFD0A6
, passed to %s, xrefs: 0000018301FFD0BA
HEAP: , xrefs: 0000018301FFD097

Memory Dump Source

Source File: 00000006.00000002.3357660349.0000018301F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000018301F40000, based on PE: true

Associated: 00000006.00000002.3357631634.0000018301F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357810985.000001830205D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357868762.00000183020A6000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357893688.00000183020B2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357917492.00000183020C1000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3357946457.00000183020C6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3358004276.0000018302137000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_18301f40000_rundll32.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p
API String ID: 0-2470418468
Opcode ID: ed0dbc8e4f4792f99bca2f4832526f942fd116cdcbe3696325fa0972c94868d2
Instruction ID: 7363f1734506e9ae76b3cb9ad294ce4ff2066eb058f24df4ec6a9656e2f002fb
Opcode Fuzzy Hash: ed0dbc8e4f4792f99bca2f4832526f942fd116cdcbe3696325fa0972c94868d2
Instruction Fuzzy Hash: F6012931200E4491FE15AB56E8953DD63A5AB90FC4F6CC121F92E473A6EE38C786D300

Analysis Process: rundll32.exePID: 7120, Parent PID: 3416COMMON

Non-executed Functions

Function 0000014A1933C920 Relevance: 37.7, Strings: 30, Instructions: 239COMMON

Download Yara Rule

Strings

write to, xrefs: 0000014A193A0D87
*** Inpage error in %ws:%s, xrefs: 0000014A193A0CCB
*** An Access Violation occurred in %ws:%s, xrefs: 0000014A193A0D6A
This failed because of error %Ix., xrefs: 0000014A193A0D05
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0000014A193A0BA6
*** enter .exr %p for the exception record, xrefs: 0000014A193A0DE5
Go determine why that thread has not released the critical section., xrefs: 0000014A193A0C76
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0000014A193A0B96
The instruction at %p referenced memory at %p., xrefs: 0000014A193A0CEE
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0000014A193A0C81
*** then kb to get the faulting stack, xrefs: 0000014A193A0E14
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0000014A193A0D59
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0000014A193A0B86
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0000014A193A0B5D
The critical section is owned by thread %p., xrefs: 0000014A193A0C68
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0000014A193A0B78
read from, xrefs: 0000014A193A0D80
an invalid address, %p, xrefs: 0000014A193A0DBB
The instruction at %p tried to %s , xrefs: 0000014A193A0D9F
<unknown>, xrefs: 0000014A193A0AF9
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0000014A193A0C33
*** enter .cxr %p for the context, xrefs: 0000014A193A0E04
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0000014A193A0D44
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0000014A193A0D50
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0000014A193A0E3F
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0000014A193A0C49
a NULL pointer, xrefs: 0000014A193A0DCD
The resource is owned exclusively by thread %p, xrefs: 0000014A193A0C11
The resource is owned shared by %d threads, xrefs: 0000014A193A0C23
*** Resource timeout (%p) in %ws:%s, xrefs: 0000014A193A0BE5

Memory Dump Source

Source File: 00000009.00000003.2437247357.0000014A192A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014A192A0000, based on PE: true

Associated: 00000009.00000003.2437230082.0000014A192A0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000003.2437325258.0000014A193BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000003.2437353750.0000014A19406000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000003.2437372501.0000014A19412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000003.2437387953.0000014A19421000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000003.2437402088.0000014A19426000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_14a192a0000_rundll32.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: b382d40916eae78fb322a776e024020a4f6379aa4851f00f97a9faaa9c442b5d
Instruction ID: 8fd96489923b0947336a740743c2ea0ad7ee994b3d1d056307927972cf12e6b6
Opcode Fuzzy Hash: b382d40916eae78fb322a776e024020a4f6379aa4851f00f97a9faaa9c442b5d
Instruction Fuzzy Hash: 14B1B076280A4082F724DF61A8547D973E9FF89F48FCB452AA94D6B2B5DF38D509C302

Function 0000014A192BE940 Relevance: 5.3, Strings: 4, Instructions: 257COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 0000014A1934F79C, 0000014A1934F87D
HEAP: , xrefs: 0000014A1934F7AE, 0000014A1934F897
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 0000014A1934F8A3
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 0000014A1934F7BA

Memory Dump Source

Source File: 00000009.00000003.2437247357.0000014A192A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014A192A0000, based on PE: true

Associated: 00000009.00000003.2437230082.0000014A192A0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000003.2437325258.0000014A193BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000003.2437353750.0000014A19406000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000003.2437372501.0000014A19412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000003.2437387953.0000014A19421000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000003.2437402088.0000014A19426000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_14a192a0000_rundll32.jbxd

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 72280a51bfa5c30c95c8b3741b7a1b1782cb1b871b5b8330eacba0194786212c
Instruction ID: 5184f90ced389f58acbc73c1e9d62b917445d388a8b785cac855a1f6cd3de635
Opcode Fuzzy Hash: 72280a51bfa5c30c95c8b3741b7a1b1782cb1b871b5b8330eacba0194786212c
Instruction Fuzzy Hash: 55B1F47228468085EB60CB25D6107ED77E8FF54F84F8A8029DA8B4F7B5DB38E545D342

Function 00000018F658C38B Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2438406468.00000018F658C000.00000004.00000010.00020000.00000000.sdmp, Offset: 00000018F658C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_18f658c000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03fe763ba996f53269c6e458129d9aa5ec633554ac56e05dea5779817c401db
Instruction ID: e0f8700eb7b2866591a98e5af39d79c5d66fdfa03dd8be33e2f0dc95f81ea955
Opcode Fuzzy Hash: e03fe763ba996f53269c6e458129d9aa5ec633554ac56e05dea5779817c401db
Instruction Fuzzy Hash: CDF0CF2108E3C15FC71367609D629903FB0AD4725030A06D3D480CF0A3C21C9E28D722

Function 0000014A19370940 Relevance: 6.4, Strings: 5, Instructions: 127COMMON

Download Yara Rule

Strings

Getting the shim user exports failed with status 0x%08lx, xrefs: 0000014A19370AB3
Loading the shim user DLL "%wZ" failed with status 0x%08lx, xrefs: 0000014A19370A51
minkernel\ntdll\ldrinit.c, xrefs: 0000014A19370A65, 0000014A19370AD2
apphelp.dll, xrefs: 0000014A19370975
LdrpGetProcApphelpCheckModule, xrefs: 0000014A19370A4A, 0000014A19370AC6

Memory Dump Source

Source File: 00000009.00000003.2437247357.0000014A192A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000014A192A0000, based on PE: true

Associated: 00000009.00000003.2437230082.0000014A192A0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000003.2437325258.0000014A193BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000003.2437353750.0000014A19406000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000003.2437372501.0000014A19412000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000003.2437387953.0000014A19421000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000003.2437402088.0000014A19426000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_14a192a0000_rundll32.jbxd

Similarity

API ID:
String ID: Getting the shim user exports failed with status 0x%08lx$LdrpGetProcApphelpCheckModule$Loading the shim user DLL "%wZ" failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-2433441700
Opcode ID: a960f1a0d39bd8010510a1364d0a2e680b63e724e132c16bacfe38015742f303
Instruction ID: 2dfb8c347bff78a8a8270aa4c84f116b363ead879581d20d9b19cfc59635eae5
Opcode Fuzzy Hash: a960f1a0d39bd8010510a1364d0a2e680b63e724e132c16bacfe38015742f303
Instruction Fuzzy Hash: A251B636344B8186E714DF25E8807DA73A8FB88B88FD6412AEA8D97B75DF38C541C741

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Loki.dll.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Lok_854b105fcaad69833d11c726c849e131e599a12_f58d6082_9dba2821-f4e0-4848-8ddd-18ed2f9dbbed\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Lok_854b105fcaad69833d11c726c849e131e599a12_f58d6082_c9cac7d9-4b98-4bd9-b74c-cc2857da2bb9\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Lok_b782053f3f0ac26fd43d6671732ad0e6807ab3_f58d6082_22c71449-6dc8-4223-a80a-d0c15493f78c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Lok_b782053f3f0ac26fd43d6671732ad0e6807ab3_f58d6082_da67ddd5-614b-47ce-8b09-19e1b07a4e36\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER66B2.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7401.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER749E.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER88FF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B03.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8BC0.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6B6.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB744.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB7A2.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1C2.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC25F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC28F.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Windows Analysis Report
Loki.dll.dll