Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FBO3NVXcYu.dll

Overview

General Information

Sample name:FBO3NVXcYu.dll
renamed because original name is a hash value
Original sample name:14ff2a275e6994ba792d2733f35c410f.dll
Analysis ID:1541900
MD5:14ff2a275e6994ba792d2733f35c410f
SHA1:52305ae15c459eb33e76c0df79622147e54b6ddb
SHA256:ab67f9b2aba675e29dfde3beb40683ffdceb70b1237f43093aa94a20855d2e87
Tags:32dllexetrojan
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Sigma detected: Potential WinAPI Calls Via CommandLine
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 1584 cmdline: loaddll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 4896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6496 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7008 cmdline: rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7024 cmdline: rundll32.exe C:\Users\user\Desktop\FBO3NVXcYu.dll,FreeLibraryMemoryAndExitThread MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3816 cmdline: rundll32.exe C:\Users\user\Desktop\FBO3NVXcYu.dll,NtUnloadDllMemoryAndExitThread MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6244 cmdline: rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",FreeLibraryMemoryAndExitThread MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 424 cmdline: rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",NtUnloadDllMemoryAndExitThread MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Potential WinAPI Calls Via CommandLine
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: rundll32.exe C:\Users\user\Desktop\FBO3NVXcYu.dll,FreeLibraryMemoryAndExitThread, CommandLine: rundll32.exe C:\Users\user\Desktop\FBO3NVXcYu.dll,FreeLibraryMemoryAndExitThread, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: loaddll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll", ParentImage: C:\Windows\System32\loaddll32.exe, ParentProcessId: 1584, ParentProcessName: loaddll32.exe, ProcessCommandLine: rundll32.exe C:\Users\user\Desktop\FBO3NVXcYu.dll,FreeLibraryMemoryAndExitThread, ProcessId: 7024, ProcessName: rundll32.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: FBO3NVXcYu.dllReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.1% probability
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D13F47C __CxxThrowException@8,CryptStringToBinaryA,3_2_6D13F47C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D13B3B8 CryptStringToBinaryA,3_2_6D13B3B8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D13B3D5 CryptStringToBinaryA,CryptStringToBinaryA,3_2_6D13B3D5
Source: FBO3NVXcYu.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: FBO3NVXcYu.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D124DD0 NtUnloadDllMemoryAndExitThread,3_2_6D124DD0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D18EEBA3_2_6D18EEBA
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D166B8D3_2_6D166B8D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D19AA673_2_6D19AA67
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D17FC073_2_6D17FC07
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D13BC623_2_6D13BC62
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D190D303_2_6D190D30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D174C543_2_6D174C54
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D174E833_2_6D174E83
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1908803_2_6D190880
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D174A253_2_6D174A25
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1745BC3_2_6D1745BC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1747EB3_2_6D1747EB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1606F03_2_6D1606F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1903403_2_6D190340
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D175C6F3_2_6D175C6F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D149F023_2_6D149F02
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D175EDB3_2_6D175EDB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D175A123_2_6D175A12
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1755493_2_6D175549
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D19145F3_2_6D19145F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1757B53_2_6D1757B5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1750BD3_2_6D1750BD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1653C53_2_6D1653C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1752EC3_2_6D1752EC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D187ACE appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D13F1B0 appears 51 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D13DEDC appears 114 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D1617BE appears 35 times
Source: FBO3NVXcYu.dllBinary or memory string: OriginalFilenamelibemb.dll. vs FBO3NVXcYu.dll
Source: FBO3NVXcYu.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engineClassification label: mal56.winDLL@14/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4896:120:WilError_03
Source: FBO3NVXcYu.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FBO3NVXcYu.dll,FreeLibraryMemoryAndExitThread
Source: FBO3NVXcYu.dllReversingLabs: Detection: 47%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FBO3NVXcYu.dll,FreeLibraryMemoryAndExitThread
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FBO3NVXcYu.dll,NtUnloadDllMemoryAndExitThread
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",FreeLibraryMemoryAndExitThread
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",NtUnloadDllMemoryAndExitThread
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FBO3NVXcYu.dll,FreeLibraryMemoryAndExitThreadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FBO3NVXcYu.dll,NtUnloadDllMemoryAndExitThreadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",FreeLibraryMemoryAndExitThreadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",NtUnloadDllMemoryAndExitThreadJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: FBO3NVXcYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: FBO3NVXcYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: FBO3NVXcYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: FBO3NVXcYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: FBO3NVXcYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: FBO3NVXcYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: FBO3NVXcYu.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: FBO3NVXcYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: FBO3NVXcYu.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: FBO3NVXcYu.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: FBO3NVXcYu.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: FBO3NVXcYu.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: FBO3NVXcYu.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D13B049 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_6D13B049
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D13F1F6 push ecx; ret 3_2_6D13F209
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D13DEA5 push ecx; ret 3_2_6D13DEB8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D13BC62 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_6D13BC62
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_3-54425
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 2.5 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D13EF6C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6D13EF6C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D13B049 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_6D13B049
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D180424 mov eax, dword ptr fs:[00000030h]3_2_6D180424
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D13EF6C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6D13EF6C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D13EB42 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6D13EB42
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1820FF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6D1820FF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D13F101 SetUnhandledExceptionFilter,3_2_6D13F101
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D13F21E cpuid 3_2_6D13F21E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_6D18E95D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6D18E890
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_6D18E410
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_6D18E789
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6D18E660
Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,GetLocaleInfoW,3_2_6D18E007
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6D18E383
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6D18E27F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6D18E2E8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6D1875BE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6D187726
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6D18800E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D13EE8F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_6D13EE8F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D146A5D GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,3_2_6D146A5D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D156EF5 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,3_2_6D156EF5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1560B5 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,3_2_6D1560B5

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Native API		1
DLL Side-Loading		11
Process Injection		1
Rundll32		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory1
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS23
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1541900 Sample: FBO3NVXcYu.dll Startdate: 25/10/2024 Architecture: WINDOWS Score: 56 19 Multi AV Scanner detection for submitted file 2->19 21 AI detected suspicious sample 2->21 23 Sigma detected: Potential WinAPI Calls Via CommandLine 2->23 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        13 rundll32.exe 7->13         started        15 3 other processes 7->15 process5 17 rundll32.exe 9->17         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
FBO3NVXcYu.dll47%ReversingLabsWin32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1541900
Start date and time:2024-10-25 09:47:08 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 6s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:13
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:FBO3NVXcYu.dll
renamed because original name is a hash value
Original Sample Name:14ff2a275e6994ba792d2733f35c410f.dll
Detection:MAL
Classification:mal56.winDLL@14/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 7
  • Number of non-executed functions: 156
Cookbook Comments:
  • Found application associated with file extension: .dll

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: FBO3NVXcYu.dll

Simulations

Behavior and APIs

TimeTypeDescription
03:48:15API Interceptor1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.791650181507916
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:FBO3NVXcYu.dll
File size:650'240 bytes
MD5:14ff2a275e6994ba792d2733f35c410f
SHA1:52305ae15c459eb33e76c0df79622147e54b6ddb
SHA256:ab67f9b2aba675e29dfde3beb40683ffdceb70b1237f43093aa94a20855d2e87
SHA512:d940946861eb1f3f5e562bec8e583e2ec126ddeb45e15c8c9a1861c7bcc1a3cb987e66e0c0da4860d3351458f1ccf74cf68f870c7daa3c460b22511df4a67df2
SSDEEP:12288:MSB6YObJN3d0aH+5lR35CTxzcTo6cNs6IQy/lOljXtF9EO:MSE5JN3dVS/cTps19Olbt7EO
TLSH:82D49E12798280F2D33B22364568F63A57BD79321A31CB9FABD81D3D6F305C17A25627
File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......'..6cw.ecw.ecw.e..zemw.e..xe.w.e..yezw.e..Lebw.e...dtw.e..@ejw.ecw.e.w.e...d.w.e...dtw.ecw.egw.e...dbw.e...daw.e...dbw.e..tebw.

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x1001e2d6
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x10000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x6717E79D [Tue Oct 22 17:57:49 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:56b6595b1315c0d123745ab0902e6aad

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FA608C1B577h
call 00007FA608C1C120h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FA608C1B41Dh
add esp, 0Ch
pop ebp
retn 000Ch
push ebx
push esi
push edi
push 00000000h
push 00000FA0h
push 10098E38h
call 00007FA608C3F34Ah
add esp, 0Ch
push 100813ACh
call dword ptr [10080040h]
mov esi, eax
test esi, esi
je 00007FA608C1B602h
push 100815ECh
push esi
call dword ptr [1008001Ch]
push 1008163Ch
push esi
mov ebx, eax
call dword ptr [1008001Ch]
push 10081620h
push esi
mov edi, eax
call dword ptr [1008001Ch]
mov esi, eax
test ebx, ebx
je 00007FA608C1B5A9h
test edi, edi
je 00007FA608C1B5A5h
test esi, esi
je 00007FA608C1B5A1h
and dword ptr [10098E54h], 00000000h
mov ecx, ebx
push 10098E50h
call 00007FA608C1B83Ch
call ebx
push edi
call 00007FA608C1B5E0h
push esi
mov dword ptr [10098E58h], eax
call 00007FA608C1B5F2h
pop ecx
pop ecx
mov dword ptr [10098E5Ch], eax
jmp 00007FA608C1B588h
xor eax, eax
push eax
push eax
push 00000001h
push eax
call dword ptr [10080084h]
mov dword ptr [10098E54h], eax
test eax, eax

Rich Headers

Programming Language:
  • [ C ] VS2015 build 23026
  • [C++] VS2015 build 23026
  • [EXP] VS2015 build 23026
  • [RES] VS2015 build 23026
  • [LNK] VS2015 build 23026

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x918d00x85.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x919580x64.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x9b0000xb18.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x9c0000x6e48.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x8b1500x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x8b1cc0x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x8b1700x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x800000x218.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x7ea500x7ec005138b54b27c22a18b010d4ed3f9a885fFalse0.4739544810157791data6.744101180473579IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x800000x125ec0x12600c68d7c7c27a00b1b58e404eb683cd9c8False0.43493569302721086data5.302977854980895IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x930000x6fb80x5800d6f12555e3f6b75653ed3c40388651ecFalse0.40150035511363635data6.851774743029076IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0x9a0000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x9b0000xb180xc000148639e09d02922b74cb27907c488a9False0.3440755208333333data5.0405432572223505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x9c0000x6e480x700040e257171e94d71260cd7275452515eaFalse0.5946916852678571data6.558738789344906IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x9b0a00x2bcdataChineseChina0.5228571428571429
RT_MANIFEST0x9b3600x7b4XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1912), with CRLF line terminatorsEnglishUnited States0.3220081135902637

Imports

DLLImport
USER32.dllwsprintfW
CRYPT32.dllCryptStringToBinaryA
KERNEL32.dllIsDebuggerPresent, GetCurrentProcess, FreeLibrary, GetProcAddress, LoadLibraryW, VirtualProtect, CreateFileW, GetFileSize, ReadFile, CloseHandle, SetLastError, GetLastError, GetModuleHandleW, GetModuleHandleA, GetNativeSystemInfo, VirtualAlloc, LoadLibraryA, VirtualFree, GetThreadLocale, lstrlenW, QueryPerformanceCounter, QueryPerformanceFrequency, DuplicateHandle, WaitForSingleObjectEx, Sleep, GetCurrentThread, GetCurrentThreadId, GetExitCodeThread, InitializeCriticalSectionAndSpinCount, CreateEventW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, RtlCaptureStackBackTrace, SetEvent, ResetEvent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetCurrentProcessId, InitializeSListHead, GetStartupInfoW, CreateTimerQueue, SignalObjectAndWait, SwitchToThread, CreateThread, SetThreadPriority, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, FormatMessageW, OutputDebugStringW, EncodePointer, GetThreadTimes, FreeLibraryAndExitThread, GetModuleFileNameW, LoadLibraryExW, GetVersionExW, SetProcessAffinityMask, ReleaseSemaphore, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, QueryDepthSList, UnregisterWaitEx, WaitForMultipleObjectsEx, WaitForSingleObject, DeleteCriticalSection, UnregisterWait, RtlUnwind, RaiseException, VirtualQuery, MultiByteToWideChar, ExitThread, ResumeThread, GetModuleHandleExW, HeapAlloc, HeapFree, ExitProcess, WideCharToMultiByte, GetACP, GetStdHandle, GetFileType, GetStringTypeW, SetConsoleCtrlHandler, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetProcessHeap, IsValidCodePage, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetEnvironmentVariableW, GetCommandLineA, GetCommandLineW, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, SetStdHandle, SetFilePointerEx, HeapSize, HeapReAlloc, WriteConsoleW, DecodePointer, OutputDebugStringA
ADVAPI32.dllSystemFunction036

Exports

NameOrdinalAddress
FreeLibraryMemoryAndExitThread10x10004dd0
NtUnloadDllMemoryAndExitThread20x10004dd0

Possible Origin

Language of compilation systemCountry where language is spokenMap
ChineseChina
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:03:48:02
Start date:25/10/2024
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll"
Imagebase:0x630000
File size:126'464 bytes
MD5 hash:51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:03:48:02
Start date:25/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:03:48:03
Start date:25/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",#1
Imagebase:0x1c0000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:03:48:03
Start date:25/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\FBO3NVXcYu.dll,FreeLibraryMemoryAndExitThread
Imagebase:0x8d0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:03:48:03
Start date:25/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",#1
Imagebase:0x8d0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:6
Start time:03:48:06
Start date:25/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\FBO3NVXcYu.dll,NtUnloadDllMemoryAndExitThread
Imagebase:0x8d0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:03:48:15
Start date:25/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",FreeLibraryMemoryAndExitThread
Imagebase:0x8d0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:10
Start time:03:48:15
Start date:25/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",NtUnloadDllMemoryAndExitThread
Imagebase:0x8d0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0.6%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:18.4%
    Total number of Nodes:125
    Total number of Limit Nodes:1
    execution_graph 54304 6d124dd0 54305 6d124dde 54304->54305 54308 6d134c70 54305->54308 54309 6d134c93 54308->54309 54312 6d12edd0 54309->54312 54311 6d134c9f RtlExitUserThread 54313 6d12ee10 GetModuleHandleA GetProcAddress 54312->54313 54313->54311 54315 6d13e2d6 54316 6d13e2e4 54315->54316 54317 6d13e2df 54315->54317 54321 6d13e19a 54316->54321 54338 6d13ee8f GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 54317->54338 54320 6d13e2f2 54322 6d13e1a6 ___unDName 54321->54322 54323 6d13e1bc dllmain_raw 54322->54323 54324 6d13e1b7 54322->54324 54325 6d13e1d6 dllmain_crt_dispatch 54323->54325 54327 6d13e291 ___unDName 54323->54327 54326 6d13e1f8 54324->54326 54357 6d1618a1 12 API calls 2 library calls 54324->54357 54325->54324 54325->54327 54339 6d13b049 54326->54339 54327->54320 54331 6d13e22f 54336 6d13e242 54331->54336 54358 6d16193d 12 API calls 2 library calls 54331->54358 54333 6d13e24c dllmain_crt_dispatch 54333->54327 54337 6d13e25f dllmain_raw 54333->54337 54334 6d13b049 __DllMainCRTStartup@12 60 API calls 54335 6d13e21b dllmain_crt_dispatch dllmain_raw 54334->54335 54335->54331 54336->54327 54336->54333 54337->54327 54338->54316 54340 6d13b32e 54339->54340 54341 6d13b066 54339->54341 54394 6d13da1e 54340->54394 54359 6d13ac27 LoadLibraryW LoadLibraryW 54341->54359 54344 6d13b33e 54344->54331 54344->54334 54346 6d13b073 LoadLibraryW LoadLibraryW 54347 6d13b270 54346->54347 54348 6d13b14a 54346->54348 54376 6d13ae75 54347->54376 54348->54347 54349 6d13b152 6 API calls 54348->54349 54349->54347 54352 6d13ae75 __DllMainCRTStartup@12 32 API calls 54353 6d13b31d 54352->54353 54354 6d13ae75 __DllMainCRTStartup@12 32 API calls 54353->54354 54355 6d13b326 54354->54355 54391 6d13b522 54355->54391 54357->54326 54358->54336 54360 6d13ae5b 54359->54360 54361 6d13ad1b 54359->54361 54362 6d13ae62 54360->54362 54363 6d13ae5f FreeLibrary 54360->54363 54364 6d13ad23 GetProcAddress GetProcAddress GetProcAddress 54361->54364 54365 6d13ae58 FreeLibrary 54361->54365 54368 6d13da1e Concurrency::details::ResourceManager::RetrieveSystemVersionInformation 5 API calls 54362->54368 54363->54362 54366 6d13ad52 54364->54366 54367 6d13ae4d FreeLibrary 54364->54367 54365->54360 54366->54367 54370 6d13ad65 54366->54370 54367->54363 54369 6d13ae71 54368->54369 54369->54340 54369->54346 54401 6d13aade 54370->54401 54372 6d13ad8b __DllMainCRTStartup@12 54373 6d13aade __DllMainCRTStartup@12 7 API calls 54372->54373 54374 6d13adf1 __DllMainCRTStartup@12 54373->54374 54375 6d13ae3a FreeLibrary FreeLibrary 54374->54375 54375->54362 54377 6d13afeb 54376->54377 54380 6d13ae9a 54376->54380 54378 6d13da1e Concurrency::details::ResourceManager::RetrieveSystemVersionInformation 5 API calls 54377->54378 54379 6d13b045 54378->54379 54379->54352 54380->54377 54426 6d16a97e 54380->54426 54383 6d13afa4 PathRemoveFileSpecW 54384 6d16a97e __DllMainCRTStartup@12 26 API calls 54383->54384 54385 6d13afc5 PathAppendW 54384->54385 54385->54377 54386 6d13afda PathFileExistsW 54385->54386 54386->54377 54387 6d13aff0 54386->54387 54388 6d16a97e __DllMainCRTStartup@12 26 API calls 54387->54388 54389 6d13b004 PathAppendW 54388->54389 54389->54377 54390 6d13b019 MoveFileExW 54389->54390 54390->54377 54438 6d13b587 54391->54438 54395 6d13da27 54394->54395 54396 6d13da29 IsProcessorFeaturePresent 54394->54396 54395->54344 54398 6d13eb7e 54396->54398 54469 6d13eb42 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 54398->54469 54400 6d13ec61 54400->54344 54408 6d13aa52 54401->54408 54403 6d13aafd 54412 6d13bb5f 54403->54412 54406 6d13da1e Concurrency::details::ResourceManager::RetrieveSystemVersionInformation 5 API calls 54407 6d13ab1e 54406->54407 54407->54372 54409 6d13aa6e __DllMainCRTStartup@12 54408->54409 54411 6d13aa74 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z Concurrency::details::RegisterAsyncTimerAndLoadLibrary 54409->54411 54420 6d13b841 GetSystemTimeAsFileTime ___crtFlsFree 54409->54420 54411->54403 54421 6d13b93a 54412->54421 54414 6d13bb8a Sleep 54415 6d13b93a _xtime_get GetSystemTimeAsFileTime 54414->54415 54416 6d13bb7e __Xtime_diff_to_millis2 54415->54416 54416->54414 54417 6d13bbc3 54416->54417 54418 6d13da1e Concurrency::details::ResourceManager::RetrieveSystemVersionInformation 5 API calls 54417->54418 54419 6d13ab0f 54418->54419 54419->54406 54420->54411 54422 6d13b949 54421->54422 54424 6d13b956 __aulldvrm 54421->54424 54422->54424 54425 6d13b841 GetSystemTimeAsFileTime ___crtFlsFree 54422->54425 54424->54416 54425->54424 54427 6d16a98b 54426->54427 54429 6d16a999 54426->54429 54427->54429 54432 6d16a9b2 54427->54432 54435 6d182413 20 API calls _abort 54429->54435 54430 6d16a9a3 54436 6d1822ed 26 API calls __get_errno 54430->54436 54433 6d13af88 GetModuleFileNameW 54432->54433 54437 6d182413 20 API calls _abort 54432->54437 54433->54377 54433->54383 54435->54430 54436->54433 54437->54430 54453 6d13df10 54438->54453 54440 6d13b593 CreateFileW 54441 6d13b736 __DllMainCRTStartup@12 Concurrency::details::SubAllocator::Free 54440->54441 54442 6d13b68c GetFileSize 54440->54442 54444 6d13b761 54441->54444 54446 6d13b75a CloseHandle 54441->54446 54442->54441 54443 6d13b69e 54442->54443 54454 6d13de97 54443->54454 54465 6d13dea5 5 API calls Concurrency::details::ResourceManager::RetrieveSystemVersionInformation 54444->54465 54446->54444 54449 6d13b527 54449->54340 54451 6d13b6df 54451->54441 54464 6d13b4bf 5 API calls 2 library calls 54451->54464 54453->54440 54457 6d13ee57 Concurrency::details::platform::__GetLogicalProcessorInformationEx 54454->54457 54455 6d13b6a7 ReadFile 54460 6d13b3d5 CryptStringToBinaryA 54455->54460 54457->54455 54466 6d181637 7 API calls 2 library calls 54457->54466 54467 6d13f47c CryptStringToBinaryA RaiseException __CxxThrowException@8 new 54457->54467 54468 6d13f45f RaiseException __CxxThrowException@8 Concurrency::details::ResourceManager::ResourceManager 54457->54468 54461 6d13b3f6 Concurrency::details::platform::__GetLogicalProcessorInformationEx 54460->54461 54462 6d13b40d CryptStringToBinaryA 54461->54462 54463 6d13b424 54461->54463 54462->54463 54463->54451 54464->54441 54465->54449 54466->54457 54469->54400

    Executed Functions

    Function 6D13B049 Relevance: 37.0, APIs: 8, Strings: 13, Instructions: 234libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 6D13AC27: LoadLibraryW.KERNEL32(?,00000001,00000000,?), ref: 6D13ACFE
      • Part of subcall function 6D13AC27: LoadLibraryW.KERNEL32(?), ref: 6D13AD09
      • Part of subcall function 6D13AC27: GetProcAddress.KERNEL32(00000000,?), ref: 6D13AD2E
      • Part of subcall function 6D13AC27: GetProcAddress.KERNEL32(00000000,?), ref: 6D13AD38
      • Part of subcall function 6D13AC27: GetProcAddress.KERNEL32(00000000,00000047), ref: 6D13AD42
    • LoadLibraryW.KERNEL32(?,00000001,00000000,?), ref: 6D13B130
    • LoadLibraryW.KERNEL32(?), ref: 6D13B138
    • GetProcAddress.KERNEL32(00000000,?), ref: 6D13B21B
    • GetProcAddress.KERNEL32(00000000,?), ref: 6D13B22A
    • GetProcAddress.KERNEL32(00000000,?), ref: 6D13B239
    • GetProcAddress.KERNEL32(00000000,?), ref: 6D13B248
    • GetProcAddress.KERNEL32(00000000,00006150), ref: 6D13B254
    • GetProcAddress.KERNEL32(00000000,?), ref: 6D13B263
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: Call$ExW$F$M$Pa$W$cW$hApp$l$ndW$rary$s$v
    • API String ID: 2238633743-375626469
    • Opcode ID: 422f48eeda95e6f9ead66e7477d824bae2919f3fc6b48d0563291f00297cd8b1
    • Instruction ID: 8167c431bd9b1be5507359e6da9eef7c681d3263f2b42c00e0c3c5e98267b96d
    • Opcode Fuzzy Hash: 422f48eeda95e6f9ead66e7477d824bae2919f3fc6b48d0563291f00297cd8b1
    • Instruction Fuzzy Hash: A2913D21E1439CD9EB10CBF4E941BEEB774FF65700F10555AD508EB2A1E7B10A84CB5A
    Function 6D13AC27 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 182libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryW.KERNEL32(?,00000001,00000000,?), ref: 6D13ACFE
    • LoadLibraryW.KERNEL32(?), ref: 6D13AD09
    • GetProcAddress.KERNEL32(00000000,?), ref: 6D13AD2E
    • GetProcAddress.KERNEL32(00000000,?), ref: 6D13AD38
    • GetProcAddress.KERNEL32(00000000,00000047), ref: 6D13AD42
    • FreeLibrary.KERNEL32(00000000), ref: 6D13AE54
      • Part of subcall function 6D13AADE: __Thrd_sleep.LIBCPMT ref: 6D13AB0A
    • FreeLibrary.KERNEL32(?), ref: 6D13AE43
    • FreeLibrary.KERNEL32(00000000), ref: 6D13AE46
    • FreeLibrary.KERNEL32(00000000), ref: 6D13AE59
    • FreeLibrary.KERNEL32(00000000), ref: 6D13AE60
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Library$Free$AddressProc$Load$Thrd_sleep
    • String ID: Coun$F$G$kCou$ncy$nt64$qu$t$tTic
    • API String ID: 1212583105-1930867906
    • Opcode ID: afea92950b3134964536c5a4b6440ff71ea70d982b5b501219b858c644731cec
    • Instruction ID: f5e1697e981e35a15581c9c6bfc259805c22c2a8b70a0d7fcbca26f855be72b3
    • Opcode Fuzzy Hash: afea92950b3134964536c5a4b6440ff71ea70d982b5b501219b858c644731cec
    • Instruction Fuzzy Hash: E0718B32D0436CDADF12CFF5D890AEEBBB8AF19700F11425AD508BB255EBB08A45CB54
    Function 6D13AE75 Relevance: 9.2, APIs: 6, Instructions: 157COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000078,0000002E,00000065), ref: 6D13AF95
    • PathRemoveFileSpecW.SHLWAPI(?), ref: 6D13AFAB
    • PathAppendW.SHLWAPI(?,6D13B314), ref: 6D13AFD0
    • PathFileExistsW.KERNELBASE(?), ref: 6D13AFE1
    • PathAppendW.SHLWAPI(?,6D13B314), ref: 6D13B00F
    • MoveFileExW.KERNELBASE(?,?,00000001), ref: 6D13B029
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: FilePath$Append$ExistsModuleMoveNameRemoveSpec
    • String ID:
    • API String ID: 4096670196-0
    • Opcode ID: 7e628d69776ae5c18928173d39d6bcb1278d8dd9b4239684d09804a6c6295d23
    • Instruction ID: ff13b1bd0de2c0858ab17b8bd86bb734ab09acf4ab8988dfe2b4545a6c2da76a
    • Opcode Fuzzy Hash: 7e628d69776ae5c18928173d39d6bcb1278d8dd9b4239684d09804a6c6295d23
    • Instruction Fuzzy Hash: D3518D31A54259AEEB10CBE0EC49FFE7378EF55B00F10045AE608E7190E7B18A84CB69
    Function 6D13E19A Relevance: 9.1, APIs: 6, Instructions: 87COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: dllmain_crt_dispatchdllmain_raw
    • String ID:
    • API String ID: 1382799047-0
    • Opcode ID: 817c9fd09eb1f4cd6d24a5182d5e8d40a259816c82d9955a4f3b531bbfb4feac
    • Instruction ID: 85a92f5b4ebaaf0719a9257adcfb86dfbd71e4d37dbaa79264ae30e0dd341c4f
    • Opcode Fuzzy Hash: 817c9fd09eb1f4cd6d24a5182d5e8d40a259816c82d9955a4f3b531bbfb4feac
    • Instruction Fuzzy Hash: B8215172D05776ABCB218E648C80D6F3A39AF95764B075608FD24A7249C7B58E118BE0
    Function 6D13B587 Relevance: 7.7, APIs: 5, Instructions: 168fileCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 6D13B58E
    • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,0000007C,6D13B527,6D13B32E), ref: 6D13B66E
    • GetFileSize.KERNEL32(00000000,00000000), ref: 6D13B68E
    • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 6D13B6BD
      • Part of subcall function 6D13B3D5: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 6D13B3EC
    • CloseHandle.KERNEL32(00000000), ref: 6D13B75B
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: File$BinaryCloseCreateCryptH_prolog3_HandleReadSizeString
    • String ID:
    • API String ID: 2259240775-0
    • Opcode ID: 69faafd5193ccb9bcb1beddb4bdd7a9a486aa1f38b4b0904d205c28c09eeaa72
    • Instruction ID: bc9bc123edfabc359d9a97a7f122d1d17ca6c85e622ca99da47edf870c3fdff8
    • Opcode Fuzzy Hash: 69faafd5193ccb9bcb1beddb4bdd7a9a486aa1f38b4b0904d205c28c09eeaa72
    • Instruction Fuzzy Hash: 83518D31E54358A9EB10CFE0D991BAEB734FF54750F21101AE618AF2A4E7B64940CB1A
    Function 6D13AADE Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 129 6d13aade-6d13ab21 call 6d13aa52 call 6d13bb5f call 6d13da1e
    APIs
    • __Thrd_sleep.LIBCPMT ref: 6D13AB0A
      • Part of subcall function 6D13BB5F: _xtime_get.LIBCPMT ref: 6D13BB79
      • Part of subcall function 6D13BB5F: __Xtime_diff_to_millis2.LIBCPMT ref: 6D13BB85
      • Part of subcall function 6D13BB5F: Sleep.KERNELBASE(00000000,00000000,?,?,6D13AD8B,00000000,?,?,?,?,?,?,?,?,6D13AD8B,?), ref: 6D13BB8D
      • Part of subcall function 6D13BB5F: _xtime_get.LIBCPMT ref: 6D13BB99
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: _xtime_get$SleepThrd_sleepXtime_diff_to_millis2
    • String ID:
    • API String ID: 2593056502-0
    • Opcode ID: df836f56a9540ff4cb67d7c4293c8b9bb310520258ce981948648b07f0613833
    • Instruction ID: f5219d3d4c0895b586207bb3545ac37f3af75fbef07fe12b750ce710fd45346c
    • Opcode Fuzzy Hash: df836f56a9540ff4cb67d7c4293c8b9bb310520258ce981948648b07f0613833
    • Instruction Fuzzy Hash: DCE06532A0455D9B8F11DFA9DA418DFB7BDDF45204B010166E909AB104EAA1AF0487E1
    Function 6D134C70 Relevance: 1.5, APIs: 1, Instructions: 28threadCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 6D12EDD0: GetModuleHandleA.KERNEL32(64D59454), ref: 6D12EEBC
      • Part of subcall function 6D12EDD0: GetProcAddress.KERNEL32(00000000,?), ref: 6D12EEC7
    • RtlExitUserThread.NTDLL(?,248535D8,?,?,6D124DE4,?,?), ref: 6D134CA0
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: AddressExitHandleModuleProcThreadUser
    • String ID:
    • API String ID: 3902016533-0
    • Opcode ID: be1401cc3429c4dba3d763539474088209e7e9af79c770580556b269916aa53e
    • Instruction ID: 1d2d971ccaab625c9a35d01d9a5ee914504141fd25491f953e6292a59df4fb0c
    • Opcode Fuzzy Hash: be1401cc3429c4dba3d763539474088209e7e9af79c770580556b269916aa53e
    • Instruction Fuzzy Hash: ADD0A7374052106F8A049710FC50AFE333B9FC722970A800CE50013304C7B2A806D755

    Non-executed Functions

    Function 6D1653C5 Relevance: 186.7, APIs: 92, Strings: 14, Instructions: 1187COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DName::DName.LIBCMT ref: 6D16540B
    • operator+.LIBCMT ref: 6D165425
    • UnDecorator::getBasedType.LIBVCRUNTIME ref: 6D1654ED
    • DName::DName.LIBCMT ref: 6D1654FD
    • DName::operator+.LIBCMT ref: 6D165504
    • UnDecorator::getBasedType.LIBVCRUNTIME ref: 6D16551B
      • Part of subcall function 6D166636: UnDecorator::UScore.LIBCMT ref: 6D16663E
      • Part of subcall function 6D166636: DName::DName.LIBCMT ref: 6D166648
      • Part of subcall function 6D166636: DName::DName.LIBCMT ref: 6D166678
    • DName::operator|=.LIBCMT ref: 6D165525
    • UnDecorator::getDimension.LIBCMT ref: 6D16555B
    • DName::operator+.LIBCMT ref: 6D165572
    • DName::operator+.LIBCMT ref: 6D165579
    • DName::operator+=.LIBCMT ref: 6D165582
    • UnDecorator::getVCallThunkType.LIBCMT ref: 6D16558B
    • DName::DName.LIBCMT ref: 6D1655AB
    • DName::operator+.LIBCMT ref: 6D1655B2
    • DName::operator+=.LIBCMT ref: 6D16565B
    • DName::operator+=.LIBCMT ref: 6D165643
      • Part of subcall function 6D165150: DName::DName.LIBCMT ref: 6D16516A
    • DName::DName.LIBCMT ref: 6D165F1A
    • DName::operator+.LIBCMT ref: 6D165F21
    • DName::DName.LIBCMT ref: 6D165FE6
    • DName::operator+.LIBCMT ref: 6D165FED
    • DName::DName.LIBCMT ref: 6D166096
    • DName::operator+.LIBCMT ref: 6D16609D
    • DName::DName.LIBCMT ref: 6D1660C6
    • DName::operator+.LIBCMT ref: 6D16562D
      • Part of subcall function 6D165063: DName::operator+=.LIBCMT ref: 6D165079
    • DName::DName.LIBCMT ref: 6D165626
      • Part of subcall function 6D1649DE: DName::doPchar.LIBVCRUNTIME ref: 6D1649FE
    • UnDecorator::getCallingConvention.LIBCMT ref: 6D1655ED
      • Part of subcall function 6D166ACE: UnDecorator::UScore.LIBCMT ref: 6D166B5D
      • Part of subcall function 6D166ACE: DName::operator=.LIBCMT ref: 6D166B67
    • UnDecorator::getDimension.LIBCMT ref: 6D165B67
    • DName::operator+=.LIBCMT ref: 6D165B7F
    • DName::operator+=.LIBCMT ref: 6D165B97
    • DName::operator+.LIBCMT ref: 6D165BA7
    • DName::operator+=.LIBCMT ref: 6D1655E4
      • Part of subcall function 6D165205: _HeapManager::getMemory.LIBVCRUNTIME ref: 6D165235
      • Part of subcall function 6D165205: pcharNode::pcharNode.LIBVCRUNTIME ref: 6D16524E
      • Part of subcall function 6D165205: DName::append.LIBCMT ref: 6D165258
    • DName::operator+=.LIBCMT ref: 6D1655D7
      • Part of subcall function 6D16510D: DName::operator+=.LIBCMT ref: 6D165128
    • DName::operator+=.LIBCMT ref: 6D1655CB
      • Part of subcall function 6D165205: DName::operator=.LIBCMT ref: 6D165226
    • DName::operator+=.LIBCMT ref: 6D165B17
    • UnDecorator::getVfTableType.LIBCMT ref: 6D165B4A
    • DName::operator+=.LIBCMT ref: 6D165CC4
    • DName::DName.LIBCMT ref: 6D165E24
    • DName::operator+.LIBCMT ref: 6D165E2B
    • DName::operator+.LIBCMT ref: 6D1660CD
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: NameName::Name::operator+=$Name::operator+$Decorator::get$Type$BasedDecorator::DimensionName::operator=Score$CallCallingConventionHeapManager::getMemoryName::appendName::doName::operator|=NodeNode::pcharPcharTableThunkoperator+pchar
    • String ID: [thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
    • API String ID: 1579205822-3028518216
    • Opcode ID: 35472d99c9ffdea2cfbaa8a9bb384d130e2645f0724000f4cd1ebbbddce639b5
    • Instruction ID: 713757d938bf2b5babd4a175978e898a9716d77a6f6550c0e0855e88c654a1ed
    • Opcode Fuzzy Hash: 35472d99c9ffdea2cfbaa8a9bb384d130e2645f0724000f4cd1ebbbddce639b5
    • Instruction Fuzzy Hash: 4492C472E5428A9BEB05CEE8C991BFDB7B9EF14304F104039E511D7289EBB8D915CB60
    Function 6D13BC62 Relevance: 145.5, APIs: 41, Strings: 42, Instructions: 223libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetModuleHandleW.KERNEL32(kernel32.dll,?,invalid random_device value), ref: 6D13BC8C
    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6D13BC9A
    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6D13BCB1
    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6D13BCC8
    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6D13BCDF
    • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 6D13BCF6
    • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 6D13BD0D
    • GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 6D13BD24
    • GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 6D13BD3B
    • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 6D13BD52
    • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 6D13BD69
    • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 6D13BD80
    • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 6D13BD97
    • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 6D13BDAE
    • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 6D13BDC5
    • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 6D13BDDC
    • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 6D13BDF3
    • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 6D13BE0A
    • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 6D13BE21
    • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 6D13BE38
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleModule
    • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$invalid random_device value$kernel32.dll
    • API String ID: 667068680-2420364413
    • Opcode ID: 7961001c79b7336c207990f66e6dc5ebf76775459e4ef7a41347ba6f977ba7a3
    • Instruction ID: 2f36ccd76eb57cc8fa3fdb52cc0277e5aa35c149ee2eef2ac4e8d5efafff49c2
    • Opcode Fuzzy Hash: 7961001c79b7336c207990f66e6dc5ebf76775459e4ef7a41347ba6f977ba7a3
    • Instruction Fuzzy Hash: 5D91A4B6815229EFCF509FB5EA58B5E7BF8EF1B24134A4815F105CA10AD7F49081AFA0
    Function 6D166B8D Relevance: 96.8, APIs: 52, Strings: 3, Instructions: 545COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 583 6d166b8d-6d166baf 584 6d166bb5-6d166bba 583->584 585 6d16712b-6d16712e 583->585 588 6d166bbc-6d166bd6 call 6d1678c6 584->588 589 6d166be8-6d166c21 584->589 586 6d167130-6d167135 585->586 587 6d16719b 585->587 591 6d167137-6d16713e 586->591 592 6d167191-6d167196 586->592 593 6d16719d-6d1671a0 call 6d164a91 587->593 588->589 609 6d166bd8-6d166be3 588->609 590 6d166c24-6d166c29 589->590 595 6d166d06-6d166d1b 590->595 596 6d166c2f-6d166c32 590->596 598 6d167140-6d167145 591->598 599 6d167181 591->599 592->587 597 6d167198-6d167199 592->597 608 6d1671a5 593->608 602 6d166d67-6d166d75 595->602 603 6d166d1d-6d166d1f 595->603 604 6d166c34-6d166c37 596->604 605 6d166ca9-6d166cb4 596->605 606 6d167182-6d16718f call 6d16503f 597->606 598->599 607 6d167147-6d16717f call 6d164a91 call 6d165063 call 6d165150 call 6d165063 598->607 599->606 611 6d166d97-6d166db7 602->611 612 6d166d77-6d166d91 call 6d1678c6 602->612 613 6d166d53 603->613 614 6d166d21-6d166d3d call 6d165150 call 6d165362 603->614 616 6d166c98-6d166c9a 604->616 617 6d166c39-6d166c3c 604->617 605->602 615 6d166cba-6d166cbc 605->615 606->608 607->608 610 6d1671a8-6d1671ae 608->610 609->610 611->590 612->611 641 6d16711e-6d167123 612->641 629 6d166d55-6d166d64 call 6d165362 call 6d164dd9 613->629 658 6d166d40-6d166d51 call 6d1650c9 614->658 624 6d166cf3-6d166d04 call 6d165362 call 6d164dd9 615->624 625 6d166cbe-6d166cf1 call 6d165150 call 6d165362 call 6d1650c9 615->625 620 6d166e85-6d166e87 616->620 621 6d166ca0-6d166ca4 616->621 626 6d166c87-6d166c89 617->626 627 6d166c3e-6d166c41 617->627 620->593 621->602 624->602 625->602 626->620 639 6d166c8f-6d166c93 626->639 635 6d166c47-6d166c52 627->635 636 6d166dbc-6d166dc4 627->636 629->602 635->602 646 6d166c58-6d166c5a 635->646 644 6d166dc6 636->644 645 6d166dcc-6d166dcf 636->645 639->602 641->585 644->645 645->620 652 6d166dd5-6d166e04 call 6d164a57 call 6d16510d 645->652 653 6d166c80-6d166c82 646->653 654 6d166c5c-6d166c7b call 6d165150 call 6d165362 646->654 676 6d166e06-6d166e37 call 6d165150 call 6d16510d 652->676 677 6d166e3a-6d166e3f 652->677 653->629 654->658 658->602 676->677 678 6d166e41-6d166e75 call 6d165150 call 6d16510d 677->678 679 6d166e78-6d166e7b 677->679 678->679 682 6d166f54-6d166f61 679->682 683 6d166e81-6d166e83 679->683 687 6d166f63-6d166f68 682->687 688 6d166f98-6d166f9d 682->688 683->620 689 6d166e8c-6d166e92 683->689 691 6d166fb5-6d166fb8 687->691 694 6d166f6a-6d166f6c 687->694 688->691 692 6d166f9f-6d166fb2 call 6d166636 call 6d1652f0 688->692 695 6d166e94-6d166ec8 call 6d164a57 call 6d165063 689->695 696 6d166f0c-6d166f14 689->696 698 6d166fe2-6d166fe5 691->698 699 6d166fba-6d166fdf call 6d164a57 call 6d165063 691->699 692->691 694->620 701 6d166f72-6d166f96 call 6d166636 call 6d165063 694->701 732 6d166eca-6d166ee7 call 6d168c2b call 6d165063 695->732 733 6d166ee9-6d166f04 call 6d164a91 call 6d165063 695->733 703 6d166f16-6d166f29 call 6d168c2b call 6d1652f0 696->703 704 6d166f47-6d166f51 call 6d165266 696->704 709 6d166fe7-6d16700c call 6d164a57 call 6d165063 698->709 710 6d16700f-6d167014 698->710 699->698 701->691 743 6d166f2c-6d166f35 703->743 704->682 709->710 713 6d167016-6d167035 call 6d165205 710->713 714 6d167038-6d16703d 710->714 713->714 726 6d167061-6d167068 714->726 727 6d16703f-6d16705e call 6d165205 714->727 737 6d167100-6d167106 726->737 738 6d16706e-6d167075 726->738 727->726 768 6d166f07-6d166f0a 732->768 733->768 744 6d16710e-6d167119 737->744 745 6d167108 737->745 748 6d167077-6d16707a 738->748 749 6d1670d4-6d1670d9 738->749 743->704 751 6d166f37-6d166f40 743->751 744->610 745->744 754 6d1670be-6d1670c5 748->754 755 6d16707c-6d167081 748->755 749->737 753 6d1670db 749->753 751->682 757 6d166f42 751->757 761 6d1670dc-6d1670f1 call 6d1649de call 6d165063 753->761 758 6d1670c7-6d1670cf 754->758 759 6d1670d1-6d1670d2 754->759 755->754 762 6d167083-6d1670bc call 6d1649de call 6d165063 call 6d165150 call 6d165063 755->762 757->620 758->737 759->761 774 6d1670f4-6d1670fd call 6d16510d 761->774 762->774 768->743 774->737
    APIs
    • UnDecorator::getExtendedDataIndirectType.LIBVCRUNTIME ref: 6D166BC9
      • Part of subcall function 6D1678C6: DName::DName.LIBCMT ref: 6D16794C
      • Part of subcall function 6D1678C6: DName::DName.LIBVCRUNTIME ref: 6D167956
      • Part of subcall function 6D1678C6: DName::operator+.LIBCMT ref: 6D167963
      • Part of subcall function 6D1678C6: DName::operator+=.LIBCMT ref: 6D167978
    • DName::operator+=.LIBCMT ref: 6D166C67
    • UnDecorator::UScore.LIBCMT ref: 6D166C6E
    • DName::operator+.LIBCMT ref: 6D166D41
    • UnDecorator::UScore.LIBCMT ref: 6D166D55
    • DName::operator=.LIBCMT ref: 6D166D5F
    • UnDecorator::getExtendedDataIndirectType.LIBVCRUNTIME ref: 6D166D84
    • DName::DName.LIBCMT ref: 6D166DDB
    • DName::operator+=.LIBCMT ref: 6D166DF1
    • DName::operator+=.LIBCMT ref: 6D166E11
    • DName::operator+=.LIBCMT ref: 6D166E29
    • DName::operator+=.LIBCMT ref: 6D166E4F
    • DName::operator+=.LIBCMT ref: 6D166E67
    • DName::DName.LIBCMT ref: 6D167151
    • DName::operator+.LIBCMT ref: 6D167158
    • DName::operator+=.LIBCMT ref: 6D16716E
    • DName::operator+.LIBCMT ref: 6D16717A
    • DName::DName.LIBCMT ref: 6D1671A0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Name::operator+=$NameName::$Name::operator+$DataDecorator::Decorator::getExtendedIndirectScoreType$Name::operator=
    • String ID: && $const $volatile
    • API String ID: 3199249345-2785535105
    • Opcode ID: b1b7b90c7eb68fd0e146422e311b0b71e13378616e6a0f4fafc61e7262f79936
    • Instruction ID: 7a9e2cc3585d403d327bdd7c6d638b37820a20650e69a48594f47da791c732b3
    • Opcode Fuzzy Hash: b1b7b90c7eb68fd0e146422e311b0b71e13378616e6a0f4fafc61e7262f79936
    • Instruction Fuzzy Hash: 7E223D71D0424E9FDF05CFA8D990AFEB7B5AF19304F11805AE511B7249DBB0AA15CBB0
    Function 6D19145F Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: __floor_pentium4
    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
    • API String ID: 4168288129-2761157908
    • Opcode ID: 030d6e1c080e2a3cb3292a61dba6ec6f325c914aa0546c5055d5e8c25d9b358a
    • Instruction ID: e8f3848dddbc4daec7a1e4ee590378930166328d750917d60abee7a4a670f61a
    • Opcode Fuzzy Hash: 030d6e1c080e2a3cb3292a61dba6ec6f325c914aa0546c5055d5e8c25d9b358a
    • Instruction Fuzzy Hash: D6C25A71E082298FDB25CF289D407E9B7B9FB55304F5541EAD84DEB248E7B4AAC18F40
    Function 6D18E789 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,6D18EAA8,?,00000000), ref: 6D18E822
    • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,6D18EAA8,?,00000000), ref: 6D18E84B
    • GetACP.KERNEL32(?,?,6D18EAA8,?,00000000), ref: 6D18E860
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID: ACP$OCP
    • API String ID: 2299586839-711371036
    • Opcode ID: 2e0fe9fd34713f601c49081ea665cf3965574f73bc87ffbba4eab80ff8b9e9ab
    • Instruction ID: 4ac37520e4bf53a881ce2bb0bf6d35fee05829ffbd1e7013f2bc8e1561c068b4
    • Opcode Fuzzy Hash: 2e0fe9fd34713f601c49081ea665cf3965574f73bc87ffbba4eab80ff8b9e9ab
    • Instruction Fuzzy Hash: 5321C422B44102A6E721CF15C904B9F73B6EB62F50B468464E929D711EE7F3DB40CF90
    Function 6D18E95D Relevance: 7.7, APIs: 5, Instructions: 188COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D182E35: GetLastError.KERNEL32(?,?,6D18ADD5,?,?,?,?,6D18B2B9,?,?,?,?,?,00000001,?,6D1B12C0), ref: 6D182E39
      • Part of subcall function 6D182E35: _free.LIBCMT ref: 6D182E6C
      • Part of subcall function 6D182E35: SetLastError.KERNEL32(00000000,?,?,?,?,00000001,?,6D1B12C0,00000014,6D188F46,00000000,?,?,?,?), ref: 6D182EAD
      • Part of subcall function 6D182E35: _abort.LIBCMT ref: 6D182EB3
      • Part of subcall function 6D182E35: _free.LIBCMT ref: 6D182E94
      • Part of subcall function 6D182E35: SetLastError.KERNEL32(00000000,?,?,?,?,00000001,?,6D1B12C0,00000014,6D188F46,00000000,?,?,?,?), ref: 6D182EA1
    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 6D18EA69
    • IsValidCodePage.KERNEL32(00000000), ref: 6D18EAC4
    • IsValidLocale.KERNEL32(?,00000001), ref: 6D18EAD3
    • GetLocaleInfoW.KERNEL32(?,00001001,6D183A50,00000040,?,6D183B70,00000055,00000000,?,?,00000055,00000000), ref: 6D18EB1B
    • GetLocaleInfoW.KERNEL32(?,00001002,6D183AD0,00000040), ref: 6D18EB3A
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
    • String ID:
    • API String ID: 745075371-0
    • Opcode ID: 8d5f38dc87e36e8845b8cc863cd7d81be00ea15df726154036e6ecdddac70650
    • Instruction ID: ce38664deb403e37b17a453ea399e73ebb43b9c0375e1ba50a27eecc76ab0ed2
    • Opcode Fuzzy Hash: 8d5f38dc87e36e8845b8cc863cd7d81be00ea15df726154036e6ecdddac70650
    • Instruction Fuzzy Hash: 875193B190421AAFEF00DFA5CC44ABE77B9BF15700F054429E961E715AE7F29A40CF61
    Function 6D18E410 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D182E35: GetLastError.KERNEL32(?,?,6D18ADD5,?,?,?,?,6D18B2B9,?,?,?,?,?,00000001,?,6D1B12C0), ref: 6D182E39
      • Part of subcall function 6D182E35: _free.LIBCMT ref: 6D182E6C
      • Part of subcall function 6D182E35: SetLastError.KERNEL32(00000000,?,?,?,?,00000001,?,6D1B12C0,00000014,6D188F46,00000000,?,?,?,?), ref: 6D182EAD
      • Part of subcall function 6D182E35: _abort.LIBCMT ref: 6D182EB3
      • Part of subcall function 6D182E35: _free.LIBCMT ref: 6D182E94
      • Part of subcall function 6D182E35: SetLastError.KERNEL32(00000000,?,?,?,?,00000001,?,6D1B12C0,00000014,6D188F46,00000000,?,?,?,?), ref: 6D182EA1
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6D18E464
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6D18E4B5
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6D18E575
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ErrorInfoLastLocale$_free$_abort
    • String ID:
    • API String ID: 2829624132-0
    • Opcode ID: 87cf0a14d4753d91a81428ca7ff2419bb0bb64da3bd1f24380ec5e3b76f5e0ba
    • Instruction ID: 6a73963fbb04000ac67d3e633c84bb89ee63079a7c055f985f125868cb9d307b
    • Opcode Fuzzy Hash: 87cf0a14d4753d91a81428ca7ff2419bb0bb64da3bd1f24380ec5e3b76f5e0ba
    • Instruction Fuzzy Hash: 69618C75A442179FEB28CE24CC81BBA77B8EF05314F144069E915CA58AF7B69A81CF50
    Function 6D1820FF Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6D1821F7
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6D182201
    • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 6D18220E
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$DebuggerPresent
    • String ID:
    • API String ID: 3906539128-0
    • Opcode ID: 048fe63d218a90dab338ebb8a1a79ad4db04eae3a05f1b7d43f966f24c3e8bc3
    • Instruction ID: b133c0de15bef37fd922e8664f54ee6f62de088ec1ba395fc32c272dc5172f97
    • Opcode Fuzzy Hash: 048fe63d218a90dab338ebb8a1a79ad4db04eae3a05f1b7d43f966f24c3e8bc3
    • Instruction Fuzzy Hash: 1C31E4B490122D9BCF21DF64D988B9DBBB8FF19350F5041EAE81CA7254E7B09B818F45
    Function 6D180424 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(?,?,6D1803FA,?,6D1B0EE8,0000000C,6D180576,00000000,00000000,00000001,6D13E15D,6D1AE480,0000000C,6D13E006,?), ref: 6D180445
    • TerminateProcess.KERNEL32(00000000,?,6D1803FA,?,6D1B0EE8,0000000C,6D180576,00000000,00000000,00000001,6D13E15D,6D1AE480,0000000C,6D13E006,?), ref: 6D18044C
    • ExitProcess.KERNEL32 ref: 6D18045E
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: 315743985aeb349f022a3d3b394c592fef6cc7c4fdaf1ffc130b57d6f0a1508b
    • Instruction ID: 787a8e7818c69731fba70dec35f799fc2474a610bc4b8277a79f3ec7e0e829e6
    • Opcode Fuzzy Hash: 315743985aeb349f022a3d3b394c592fef6cc7c4fdaf1ffc130b57d6f0a1508b
    • Instruction Fuzzy Hash: E4E04F31001208ABCF019F52DE08B583B79FB02385F044014F9144642BCBB6D842DE40
    Function 6D13F21E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(0000000A,?), ref: 6D13F237
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: FeaturePresentProcessor
    • String ID:
    • API String ID: 2325560087-3916222277
    • Opcode ID: 89b9fb8bdf4b60459879c8467b7b71493ddf28488ba6783c5ff4695412f2951a
    • Instruction ID: 78d065e042697a6ac301001edd94a9e30f6416b2c9bb45dd8bc36aa17053de48
    • Opcode Fuzzy Hash: 89b9fb8bdf4b60459879c8467b7b71493ddf28488ba6783c5ff4695412f2951a
    • Instruction Fuzzy Hash: 6151A1B190431A8FEF04CFA9D4957AABBF4FB29314F11816AE425EB284D3B59801CF50
    Function 6D13B3B8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 6D13B41A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: BinaryCryptString
    • String ID: 2
    • API String ID: 80407269-450215437
    • Opcode ID: c36c8aa96ec6c1056ae21df771f5d01a15855d110396ea24b8e44b8ae3bbf9ba
    • Instruction ID: 741386c0397352d47b7ead5a2d2f7f87cd374bec194476fbcd79f31a8f11f3c9
    • Opcode Fuzzy Hash: c36c8aa96ec6c1056ae21df771f5d01a15855d110396ea24b8e44b8ae3bbf9ba
    • Instruction Fuzzy Hash: E3F028721092A9AFDF124F64D841AAA7F68EF02368B2680DDF58987047E6B28E14D710
    Function 6D18800E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000000), ref: 6D188061
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID: GetLocaleInfoEx
    • API String ID: 2299586839-2904428671
    • Opcode ID: db948446e252fbcc739e4934c5eee5c5147476276d7a13b2ba8deb8f0229281a
    • Instruction ID: ee78a21fa98dad6a4b479431420cf1e81b6813182efe614fcb77b6dd14c7d64c
    • Opcode Fuzzy Hash: db948446e252fbcc739e4934c5eee5c5147476276d7a13b2ba8deb8f0229281a
    • Instruction Fuzzy Hash: E9F0F031A4421CBBCF119FA0EC04FBE3BA4EF14310F090109FD056A25ACBB18E109A90
    Function 6D190340 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 77f7bde53bfa868fc841c3d2d006a238b7c3c6031c608989953dc7c0574d3203
    • Instruction ID: ec782793225709cf673107ea038768b083c9e0c7d3874b27968e12807497777f
    • Opcode Fuzzy Hash: 77f7bde53bfa868fc841c3d2d006a238b7c3c6031c608989953dc7c0574d3203
    • Instruction Fuzzy Hash: 12024F71E042199FDF14CFA9C8906AEB7F5FF88324F258169D919EB344D771AA41CB80
    Function 6D18E007 Relevance: 3.2, APIs: 2, Instructions: 236COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D182E35: GetLastError.KERNEL32(?,?,6D18ADD5,?,?,?,?,6D18B2B9,?,?,?,?,?,00000001,?,6D1B12C0), ref: 6D182E39
      • Part of subcall function 6D182E35: _free.LIBCMT ref: 6D182E6C
      • Part of subcall function 6D182E35: SetLastError.KERNEL32(00000000,?,?,?,?,00000001,?,6D1B12C0,00000014,6D188F46,00000000,?,?,?,?), ref: 6D182EAD
      • Part of subcall function 6D182E35: _abort.LIBCMT ref: 6D182EB3
    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6D183A57,?,?,?,?,?,?,00000000), ref: 6D18E0E9
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,6D183A57,00000000,6D183B77), ref: 6D18E22A
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
    • String ID:
    • API String ID: 1661935332-0
    • Opcode ID: 5209c13fc22920ca9cb4b53c7d1df4330ea36e2f91665aedc7995fc8dda09129
    • Instruction ID: 0d3e6e98ad2d4e59d51eb3d201510aa7a8d0944edb11790b3eee3a85c73c9b02
    • Opcode Fuzzy Hash: 5209c13fc22920ca9cb4b53c7d1df4330ea36e2f91665aedc7995fc8dda09129
    • Instruction Fuzzy Hash: D2611871608306AEE714DF74DC45BBA73A8EF45710F11446AEA15DB18AEBF1EA40CFA0
    Function 6D13B3D5 Relevance: 3.1, APIs: 2, Instructions: 53encryptionCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 6D13B3EC
    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 6D13B41A
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: BinaryCryptString
    • String ID:
    • API String ID: 80407269-0
    • Opcode ID: 64adbfdd5335b3f1c25fe29aa49514b8385b7e6a263c4cd3b07f360774a91d5f
    • Instruction ID: eed255be27de0f16c86207ba0f427f4d162d59814ca995271ee21130b88b611a
    • Opcode Fuzzy Hash: 64adbfdd5335b3f1c25fe29aa49514b8385b7e6a263c4cd3b07f360774a91d5f
    • Instruction Fuzzy Hash: 11018FB1104219FFEF018F95DD81DBBBBBDFF05394B218068F94996205E7B29E50AB60
    Function 6D18EEBA Relevance: 2.8, APIs: 1, Instructions: 1301COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: __floor_pentium4
    • String ID:
    • API String ID: 4168288129-0
    • Opcode ID: 691a2ef55be6087555b63eeb8df3625ab41003e781b1e5226445541b4725196f
    • Instruction ID: 9683aa510407f21172043844243c324d778e2e5b08409c57d0f14f4ebb3b3151
    • Opcode Fuzzy Hash: 691a2ef55be6087555b63eeb8df3625ab41003e781b1e5226445541b4725196f
    • Instruction Fuzzy Hash: F7B27B71E086298FDB25CE28DC407EAB3B5FB49305F1541EAD85DE7249E7B4AE818F40
    Function 6D17FC07 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6D17FC02,?,?,00000008,?,?,6D193FB5,00000000), ref: 6D17FE34
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ExceptionRaise
    • String ID:
    • API String ID: 3997070919-0
    • Opcode ID: cd84b789b521c1910027b8d8ebd823ab1d6d35bd564f9c49863121e376b395a5
    • Instruction ID: deca4d91c62c5f6cb0d6159c6b83acdc033388e8c4256e944dc6c9b39a554079
    • Opcode Fuzzy Hash: cd84b789b521c1910027b8d8ebd823ab1d6d35bd564f9c49863121e376b395a5
    • Instruction Fuzzy Hash: 08B16C31220609DFD715CF28C486B667BE1FF45364F268658E8A9CF2B6C7B5E981CB40
    Function 6D18E660 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D182E35: GetLastError.KERNEL32(?,?,6D18ADD5,?,?,?,?,6D18B2B9,?,?,?,?,?,00000001,?,6D1B12C0), ref: 6D182E39
      • Part of subcall function 6D182E35: _free.LIBCMT ref: 6D182E6C
      • Part of subcall function 6D182E35: SetLastError.KERNEL32(00000000,?,?,?,?,00000001,?,6D1B12C0,00000014,6D188F46,00000000,?,?,?,?), ref: 6D182EAD
      • Part of subcall function 6D182E35: _abort.LIBCMT ref: 6D182EB3
      • Part of subcall function 6D182E35: _free.LIBCMT ref: 6D182E94
      • Part of subcall function 6D182E35: SetLastError.KERNEL32(00000000,?,?,?,?,00000001,?,6D1B12C0,00000014,6D188F46,00000000,?,?,?,?), ref: 6D182EA1
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6D18E6B4
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$_free$InfoLocale_abort
    • String ID:
    • API String ID: 1663032902-0
    • Opcode ID: 364d37a989ab9494b3337cf5e308b11cbdcc0db678790c79f6fce04122373f7d
    • Instruction ID: d0e64e036ab01488fa947bb7bc80102e15701efbd25fd92981fe3e020807c29d
    • Opcode Fuzzy Hash: 364d37a989ab9494b3337cf5e308b11cbdcc0db678790c79f6fce04122373f7d
    • Instruction Fuzzy Hash: AF21B63295420B9BEB14DE24DC45F7A77BCEB45314F11006AEA01CA18AEBB5DA40CF90
    Function 6D18E2E8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D182E35: GetLastError.KERNEL32(?,?,6D18ADD5,?,?,?,?,6D18B2B9,?,?,?,?,?,00000001,?,6D1B12C0), ref: 6D182E39
      • Part of subcall function 6D182E35: _free.LIBCMT ref: 6D182E6C
      • Part of subcall function 6D182E35: SetLastError.KERNEL32(00000000,?,?,?,?,00000001,?,6D1B12C0,00000014,6D188F46,00000000,?,?,?,?), ref: 6D182EAD
      • Part of subcall function 6D182E35: _abort.LIBCMT ref: 6D182EB3
    • EnumSystemLocalesW.KERNEL32(6D18E410,00000001,00000000,?,6D183A50,?,6D18EA3D,00000000,?,?,?), ref: 6D18E35A
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem_abort_free
    • String ID:
    • API String ID: 1084509184-0
    • Opcode ID: 3b9d24f858c759aa8364e078803b51050bc4145a1072135790d5335d57db17e1
    • Instruction ID: 27a268234a7e2653dc7afa0f95d1f01dd69cef5cb1a03dd45a5e72f1a759a0e4
    • Opcode Fuzzy Hash: 3b9d24f858c759aa8364e078803b51050bc4145a1072135790d5335d57db17e1
    • Instruction Fuzzy Hash: 0B1129372047015FDB18DF39C8906BAB7A1FF84359B19442CE94687B05D3B2B902CB40
    Function 6D18E890 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D182E35: GetLastError.KERNEL32(?,?,6D18ADD5,?,?,?,?,6D18B2B9,?,?,?,?,?,00000001,?,6D1B12C0), ref: 6D182E39
      • Part of subcall function 6D182E35: _free.LIBCMT ref: 6D182E6C
      • Part of subcall function 6D182E35: SetLastError.KERNEL32(00000000,?,?,?,?,00000001,?,6D1B12C0,00000014,6D188F46,00000000,?,?,?,?), ref: 6D182EAD
      • Part of subcall function 6D182E35: _abort.LIBCMT ref: 6D182EB3
    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,6D18E62E,00000000,00000000,?), ref: 6D18E8BC
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$InfoLocale_abort_free
    • String ID:
    • API String ID: 2692324296-0
    • Opcode ID: 859a7b7c82517db37427441d6dc441e744e29f0b676f1136fc046b85717e6447
    • Instruction ID: 2e298b617218934e6a4c0fc5958de55e1898a21ae2bda928bcceff7ed848041d
    • Opcode Fuzzy Hash: 859a7b7c82517db37427441d6dc441e744e29f0b676f1136fc046b85717e6447
    • Instruction Fuzzy Hash: 63F0F932B14217ABDB14CA258845BBE7778EB46714F050469ED25E3145EBF2FE41CAD0
    Function 6D18E383 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D182E35: GetLastError.KERNEL32(?,?,6D18ADD5,?,?,?,?,6D18B2B9,?,?,?,?,?,00000001,?,6D1B12C0), ref: 6D182E39
      • Part of subcall function 6D182E35: _free.LIBCMT ref: 6D182E6C
      • Part of subcall function 6D182E35: SetLastError.KERNEL32(00000000,?,?,?,?,00000001,?,6D1B12C0,00000014,6D188F46,00000000,?,?,?,?), ref: 6D182EAD
      • Part of subcall function 6D182E35: _abort.LIBCMT ref: 6D182EB3
    • EnumSystemLocalesW.KERNEL32(6D18E660,00000001,00000000,?,6D183A50,?,6D18EA01,6D183A50,?,?,?,?,?,6D183A50,?,?), ref: 6D18E3CF
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem_abort_free
    • String ID:
    • API String ID: 1084509184-0
    • Opcode ID: 80681664c93d6d9ac035ec59f911de705506459c8521380b271540484e533fa1
    • Instruction ID: 186a8e19719d0c9fd80559e39d48a935ba0a8722131f94edbfa9ce18c8db4d10
    • Opcode Fuzzy Hash: 80681664c93d6d9ac035ec59f911de705506459c8521380b271540484e533fa1
    • Instruction Fuzzy Hash: DFF0C2363043095FD7159F3A9884A7A7BA5EF85368F15442DEA05CB645D7F29D028A40
    Function 6D1875BE Relevance: 1.5, APIs: 1, Instructions: 34COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D17F77C: EnterCriticalSection.KERNEL32(?,?,6D180337,00000002,6D1B0EE8,0000000C,6D180576,00000000,00000000,00000001,6D13E15D,6D1AE480,0000000C,6D13E006,?), ref: 6D17F78B
    • EnumSystemLocalesW.KERNEL32(6D187560,00000001,6D1B11E0,0000000C), ref: 6D1875F6
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: CriticalEnterEnumLocalesSectionSystem
    • String ID:
    • API String ID: 1272433827-0
    • Opcode ID: 75321b94f3499e84763683fc1094d45da34fd9c69499049f53399d157d2fee05
    • Instruction ID: 85b9f819aa30b7c92e7f50a416c069b77a1aae78b2170549b626aa2b9a6874bf
    • Opcode Fuzzy Hash: 75321b94f3499e84763683fc1094d45da34fd9c69499049f53399d157d2fee05
    • Instruction Fuzzy Hash: BBF049B2A102089FDB10EF68E444B5D37F0EB16324F12811AE624DF2AACBB58941DF81
    Function 6D18E27F Relevance: 1.5, APIs: 1, Instructions: 31COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D182E35: GetLastError.KERNEL32(?,?,6D18ADD5,?,?,?,?,6D18B2B9,?,?,?,?,?,00000001,?,6D1B12C0), ref: 6D182E39
      • Part of subcall function 6D182E35: _free.LIBCMT ref: 6D182E6C
      • Part of subcall function 6D182E35: SetLastError.KERNEL32(00000000,?,?,?,?,00000001,?,6D1B12C0,00000014,6D188F46,00000000,?,?,?,?), ref: 6D182EAD
      • Part of subcall function 6D182E35: _abort.LIBCMT ref: 6D182EB3
    • EnumSystemLocalesW.KERNEL32(6D18E1D6,00000001,00000000,?,?,6D18EA5F,6D183A50,?,?,?,?,?,6D183A50,?,?,?), ref: 6D18E2B6
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem_abort_free
    • String ID:
    • API String ID: 1084509184-0
    • Opcode ID: 58e9afdbb289f4dd57e6035590d3c523760c904df7fae1f4d207863078eb26fd
    • Instruction ID: ec9817c04b7958aa152462f3d1a540946d5107bafa271da7bbba92badbac2d72
    • Opcode Fuzzy Hash: 58e9afdbb289f4dd57e6035590d3c523760c904df7fae1f4d207863078eb26fd
    • Instruction Fuzzy Hash: 11F0553630020957CB14EF3AD808B6ABFA0EFC2710B0A4058EA05CB246C7B29942CB50
    Function 6D187726 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
    Download Yara Rule
    APIs
    • EnumSystemLocalesW.KERNEL32(Function_00067560,00000001), ref: 6D187740
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: EnumLocalesSystem
    • String ID:
    • API String ID: 2099609381-0
    • Opcode ID: c3298ebcf4b27f7bbbc140f904c6df4dc21e3b01c7494fb7e3ca4ca2b19aea00
    • Instruction ID: 3f7d87727960ce85d0a979427e093ab0b0710334cee55d8dafcd636372798473
    • Opcode Fuzzy Hash: c3298ebcf4b27f7bbbc140f904c6df4dc21e3b01c7494fb7e3ca4ca2b19aea00
    • Instruction Fuzzy Hash: E3E04F72A003085FEF04EF26E849B193B62E7C2210B158116E5180E14AC7F154429A84
    Function 6D13F47C Relevance: 1.5, APIs: 1, Instructions: 12COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D13F493
      • Part of subcall function 6D1617DD: RaiseException.KERNEL32(?,?,?,6D13F47B,00000000,0000006F,00000000,?,?,?,?,?,6D13F47B,?,6D1AE250), ref: 6D16183C
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ExceptionException@8RaiseThrow
    • String ID:
    • API String ID: 3976011213-0
    • Opcode ID: 705927ba251c09cdb3a6c50ad01ffe918af58900987866adb08a3e6a93bcc092
    • Instruction ID: 6903799e3f90451dad5c6ed1eb7bbe6904d6bde760d724988d435cc562267653
    • Opcode Fuzzy Hash: 705927ba251c09cdb3a6c50ad01ffe918af58900987866adb08a3e6a93bcc092
    • Instruction Fuzzy Hash: 9DC08C3DC0820CB7CB08FAF1F80898DB33CAB00100F8244608720D288ABBF0A6488AD5
    Function 6D13F101 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_0001F10D), ref: 6D13F106
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 961b8fe8ef0ccb61b6656d943082c3847fb724246945dd69a2363a4019894f67
    • Instruction ID: 3712fad4d5ba036af6cb8c82a43373f54ad28927fe9484f6f3de160ad7401091
    • Opcode Fuzzy Hash: 961b8fe8ef0ccb61b6656d943082c3847fb724246945dd69a2363a4019894f67
    • Instruction Fuzzy Hash:
    Function 6D174E83 Relevance: 1.5, Strings: 1, Instructions: 218COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 209fa70ab6ee092f69cccc5c086fd48681e47332f1b7958f23f96490261e654e
    • Instruction ID: 567410e76afd4a7205738711ceca3b4f8f454fb8d6c933b025b7a21c3df41920
    • Opcode Fuzzy Hash: 209fa70ab6ee092f69cccc5c086fd48681e47332f1b7958f23f96490261e654e
    • Instruction Fuzzy Hash: BC519D216D864B5BEB31896C4450BBF3399AB3F308F000909D591CB2BDCBF9E9458796
    Function 6D1747EB Relevance: 1.5, Strings: 1, Instructions: 218COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: d41305970d1f77cc44105c86b7d64e4b51a509b94f95af01f5d8a8e8c63e3848
    • Instruction ID: 68ceaba21a0a23628ab5d9c7db34dc487ab4164428b8d4dc055b6dff2a78fd7a
    • Opcode Fuzzy Hash: d41305970d1f77cc44105c86b7d64e4b51a509b94f95af01f5d8a8e8c63e3848
    • Instruction Fuzzy Hash: A95167217486CB97DB3189E8C5607FF33E9AB2F304F014509D9929B2BEC7C1DA068356
    Function 6D174C54 Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 1fa841d9722bbd402cebd94a8f5b05df2992c61e18cb5d3511d685f77d151cb7
    • Instruction ID: 838547a09f3a29240b2d505a41b4026cd8e83dfe7bece13d8506e7a44ef9dbc6
    • Opcode Fuzzy Hash: 1fa841d9722bbd402cebd94a8f5b05df2992c61e18cb5d3511d685f77d151cb7
    • Instruction Fuzzy Hash: 2651873035864657DB318978C4607BE73A9AB7F344F02490AEAE2CB2BDCBC9D645C351
    Function 6D174A25 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 5d13db59187ef34730d84182b6f0c192737e8bc5911595c0e2868c34d9da22a6
    • Instruction ID: c21e28095ce2e003ddf4cda080fce3bbc0c57b76c2f51250d8a047669bb2673f
    • Opcode Fuzzy Hash: 5d13db59187ef34730d84182b6f0c192737e8bc5911595c0e2868c34d9da22a6
    • Instruction Fuzzy Hash: D651BD21B4C6075BDB32C96845907BF3799EB6F348F00480AD5A3CB2BDD7D1DA45835A
    Function 6D1745BC Relevance: 1.5, Strings: 1, Instructions: 214COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: b97e046cfdb601be1f358db2581e6d3f5d29edae7cb578b7638940429cfc71a8
    • Instruction ID: d6ad4953986be78c801b713ad814a4a43265cbe717ddc6dea9aff5a6c766b81b
    • Opcode Fuzzy Hash: b97e046cfdb601be1f358db2581e6d3f5d29edae7cb578b7638940429cfc71a8
    • Instruction Fuzzy Hash: DB51A96064874657DB3189788451BFE33EABB2F308F01490AFA92CB6BDE7D1D505C752
    Function 6D1750BD Relevance: 1.5, Strings: 1, Instructions: 214COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: a749e05834424df131d9a275dbf95a1455154f0cf05432cca7aa01d94f566dce
    • Instruction ID: 5de5bfd5a3c982724b01da9c0319d64e6953c3729c028f2b533d81e88acf90c5
    • Opcode Fuzzy Hash: a749e05834424df131d9a275dbf95a1455154f0cf05432cca7aa01d94f566dce
    • Instruction Fuzzy Hash: A351A8E075C74797FB31896889517BF33A9AB22305F014A49C592CB2BDCBF2DA02C361
    Function 6D190D30 Relevance: .4, Instructions: 410COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 605c29bd9346d4cfc629ddf9754d179cf9c5976c7712a9d441f4eeaeae188583
    • Instruction ID: 33ed632d27434cf892ff3fafb65b26a98ce5e296ce3fb9f26f6c41fc0e17bd99
    • Opcode Fuzzy Hash: 605c29bd9346d4cfc629ddf9754d179cf9c5976c7712a9d441f4eeaeae188583
    • Instruction Fuzzy Hash: 52F1A3B1A042199FDB25CF58D840BE9B3BDFF55304F1540AAD949AB248E7B09F91CF81
    Function 6D190880 Relevance: .3, Instructions: 292COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d6f72bee7df93da9f91a93ae182082ad0a303aaa1494065f587d15e94fe11a20
    • Instruction ID: 4eb5fba7b0c43b41b5f9ebc726917fa729a1ea17d8522b46df7776cf99798b01
    • Opcode Fuzzy Hash: d6f72bee7df93da9f91a93ae182082ad0a303aaa1494065f587d15e94fe11a20
    • Instruction Fuzzy Hash: DAB16075A041298FDB21CF19D880BEDB7B5EF89308F1541EADD09AB249D7B19E818F90
    Function 6D175C6F Relevance: .2, Instructions: 241COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a95c3d8cee89b2236804edfc4bbe767f58d99f8216f02f8ad230fe330bc60812
    • Instruction ID: 9bb1288c50e5961f1b4f0cc91f7427b5783dbb239aa583d89afd5c2461c10bd3
    • Opcode Fuzzy Hash: a95c3d8cee89b2236804edfc4bbe767f58d99f8216f02f8ad230fe330bc60812
    • Instruction Fuzzy Hash: 3F617C7168874A57FB348968D854BBE7398EB26304F10490AF552CB2BCE7F2D9428355
    Function 6D175549 Relevance: .2, Instructions: 241COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ac4bd8ea7d0c0bdcb883866fe4e7014fced9b527493f3ce2395115eb35303eef
    • Instruction ID: e2ee40c855ed34496038f7dccd12f2f8e4d22eecfae6a97296e0ed43ebc42644
    • Opcode Fuzzy Hash: ac4bd8ea7d0c0bdcb883866fe4e7014fced9b527493f3ce2395115eb35303eef
    • Instruction Fuzzy Hash: AB61CC7165870B56FF3089288890BBE33A5FF62708F41091AF542DB1BCDBF1DA428755
    Function 6D175EDB Relevance: .2, Instructions: 237COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4a4473dafbe21ca7ae4ab8e007970b97e7845b3c510347761f75ac282590aabd
    • Instruction ID: 15baf191930f3fe52f5e65464a1ed4600fdd7fd756607ca1ed62482529f0e232
    • Opcode Fuzzy Hash: 4a4473dafbe21ca7ae4ab8e007970b97e7845b3c510347761f75ac282590aabd
    • Instruction Fuzzy Hash: 5461AC7125870FAAFB7449684890BBE33A4EF63304F00441AE592DB5BDEBF1D946C392
    Function 6D175A12 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 97ed726200c803b17d696d78d5b52923cd0407f4480b920140174d732317367c
    • Instruction ID: 7c9a5b9e964b100d514e2b5e90ccb210919710addc4f567994af80ce9ac922f7
    • Opcode Fuzzy Hash: 97ed726200c803b17d696d78d5b52923cd0407f4480b920140174d732317367c
    • Instruction Fuzzy Hash: 10617B31A4870A57FB34496848E1BBE33A9EB66308F10492AE552CF1FCD7F1DA428355
    Function 6D1757B5 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 490ae17841d34305f0cb66f0acd11c7790ebaf23b8741724912b9e4042491095
    • Instruction ID: e396b8af7c19e2c965bfd9b6092e940ca2f9872a7bbbda511b8d4bb55d2f99fb
    • Opcode Fuzzy Hash: 490ae17841d34305f0cb66f0acd11c7790ebaf23b8741724912b9e4042491095
    • Instruction Fuzzy Hash: 98617831B9870A57FB3449698890BFE33A4EF22318F80491AD596DF1BCD6F1E9428751
    Function 6D1752EC Relevance: .2, Instructions: 237COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 948030c94b42e97c7d1369869ab94148890bfef77c542ec42b2e2c74e67a6aeb
    • Instruction ID: 88c20330d309507cdea70c77acaa85143da882f74b03c76df9224f44ff16db31
    • Opcode Fuzzy Hash: 948030c94b42e97c7d1369869ab94148890bfef77c542ec42b2e2c74e67a6aeb
    • Instruction Fuzzy Hash: D6618A7174870A97FB304A2848A0BBE3395EF22708F004D1AE957DB1BDE7F1D9428655
    Function 6D124DD0 Relevance: .0, Instructions: 18COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ExitThreadUser
    • String ID:
    • API String ID: 3424019298-0
    • Opcode ID: 0c4d85e4314e2f65f1235dc5dd836c326f7598ad0fa8de44021237895d2f9469
    • Instruction ID: 661e406a72fc5a5f429f08bb1d9284bfbc1b91772e7c58edaa78945e442e3167
    • Opcode Fuzzy Hash: 0c4d85e4314e2f65f1235dc5dd836c326f7598ad0fa8de44021237895d2f9469
    • Instruction Fuzzy Hash: F7B0123100D1307FC7015714EC0084F7BB89F4D214F03C808F3542302887B2A8424796
    Function 6D1680B3 Relevance: 88.0, APIs: 47, Strings: 3, Instructions: 478COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 781 6d1680b3-6d1680e7 782 6d1680ed 781->782 783 6d168268-6d16826b 781->783 784 6d1680f3-6d1680f5 782->784 785 6d16869a-6d1686af call 6d164dd9 782->785 786 6d168697-6d168699 783->786 787 6d168271 783->787 788 6d16824f-6d16825b call 6d164a91 784->788 789 6d1680fb-6d1680fe 784->789 797 6d168125-6d16812a 785->797 798 6d1686b5-6d1686ba 785->798 786->785 791 6d168277-6d16827a 787->791 792 6d16854a 787->792 800 6d168260-6d168263 788->800 789->792 796 6d168104-6d168107 789->796 791->785 794 6d168280-6d168283 791->794 803 6d168551 792->803 794->792 799 6d168289-6d168296 794->799 801 6d168157-6d168162 796->801 802 6d168109-6d16810c 796->802 805 6d1686c7 797->805 806 6d168130-6d168152 call 6d164a57 call 6d165063 797->806 798->805 807 6d1686bc-6d1686c5 798->807 808 6d168371-6d168374 799->808 809 6d16829c-6d16829f 799->809 812 6d1686d2-6d1686d8 800->812 810 6d168164-6d16819a call 6d1693be call 6d1649de call 6d165063 call 6d16510d call 6d167f05 801->810 811 6d1681de-6d1681ff call 6d16a2d4 801->811 802->792 813 6d168112-6d168120 call 6d164dd9 802->813 804 6d168554-6d168560 call 6d165063 803->804 822 6d168565-6d168568 804->822 817 6d1686ca-6d1686cd 805->817 806->817 807->817 808->822 823 6d16837a-6d16837d 808->823 818 6d168677-6d16867b 809->818 819 6d1682a5-6d1682a8 809->819 906 6d1681a6-6d1681b5 call 6d165150 810->906 907 6d16819c-6d1681a1 call 6d165150 810->907 843 6d168201-6d168205 811->843 844 6d16822c-6d16822e 811->844 813->797 828 6d1686cf 817->828 829 6d168687-6d16868b 818->829 826 6d168310-6d168313 819->826 827 6d1682aa 819->827 822->829 830 6d16856e-6d168571 822->830 823->818 833 6d168383-6d168386 823->833 836 6d168315-6d168318 826->836 837 6d16834e-6d16835a 826->837 839 6d1682ec-6d168302 call 6d164a57 827->839 840 6d1682ac-6d1682ae 827->840 828->812 829->786 830->792 841 6d168573-6d168576 830->841 834 6d168513-6d168541 call 6d164dd9 call 6d1680b3 833->834 835 6d16838c-6d16838f 833->835 834->803 888 6d168543-6d168548 834->888 835->817 853 6d168395-6d168398 835->853 836->792 846 6d16831e-6d168321 836->846 837->788 851 6d168360-6d168363 837->851 867 6d168308-6d16830b 839->867 840->788 854 6d1682b0-6d1682b3 840->854 841->818 855 6d16857c-6d16857f 841->855 843->844 845 6d168207-6d168229 call 6d1649de call 6d165063 843->845 848 6d168242-6d16824a 844->848 849 6d168230-6d16823f call 6d16510d 844->849 845->844 846->818 860 6d168327-6d16832a 846->860 848->812 849->848 851->792 865 6d168369-6d16836f 851->865 853->792 859 6d16839e-6d1683ba call 6d164dd9 853->859 854->792 862 6d1682b9-6d1682bc 854->862 855->792 863 6d168581-6d16858e 855->863 890 6d1683ce-6d1683d4 859->890 891 6d1683bc-6d1683c9 call 6d1650eb 859->891 860->792 869 6d168330-6d168332 860->869 875 6d1682be-6d1682c1 862->875 876 6d1682dc-6d1682e0 862->876 863->792 877 6d168590-6d168593 863->877 872 6d168337-6d16834c call 6d16929c 865->872 867->848 869->872 872->867 875->792 881 6d1682c7-6d1682da call 6d164a57 875->881 876->839 882 6d168667-6d16866b 877->882 883 6d168599-6d16859c 877->883 881->800 882->818 893 6d16859e-6d1685a1 883->893 894 6d1685fc-6d16861b call 6d164a57 883->894 888->792 888->803 890->792 898 6d1683da-6d1683dd 890->898 891->890 893->882 900 6d1685a7-6d1685aa 893->900 908 6d16863e-6d168648 call 6d169376 call 6d16510d 894->908 909 6d16861d-6d168634 call 6d1672ba call 6d16510d 894->909 898->792 904 6d1683e3-6d168405 call 6d164dd9 898->904 900->792 905 6d1685ac-6d1685bf call 6d164a57 900->905 922 6d1684d4-6d168511 call 6d1671e8 call 6d165150 call 6d16510d 904->922 923 6d16840b-6d16840e 904->923 918 6d1685d5-6d1685df 905->918 929 6d1681b7 906->929 930 6d1681ba-6d1681c2 906->930 907->906 938 6d16864d-6d168665 call 6d165205 908->938 909->938 946 6d168636-6d16863c 909->946 925 6d1685c1-6d1685c3 918->925 926 6d1685e1-6d1685e3 918->926 922->804 931 6d168410-6d168416 923->931 932 6d168428-6d1684cf call 6d16510d call 6d169104 call 6d165085 call 6d16510d call 6d169104 call 6d165085 call 6d16510d call 6d169104 call 6d165085 call 6d16510d call 6d167506 call 6d165085 call 6d16510d call 6d165085 923->932 934 6d1685e5-6d1685e6 925->934 935 6d1685c5-6d1685d0 call 6d165150 925->935 926->934 939 6d1685ec-6d1685f7 926->939 929->930 940 6d1681d4-6d1681d8 930->940 941 6d1681c4-6d1681cf 930->941 931->803 933 6d16841c-6d16841d 931->933 932->922 933->932 934->939 935->918 938->828 939->828 940->811 941->828 946->938
    APIs
    • DName::DName.LIBCMT ref: 6D168140
      • Part of subcall function 6D164A57: DName::doPchar.LIBVCRUNTIME ref: 6D164A85
    • DName::operator+.LIBCMT ref: 6D168147
      • Part of subcall function 6D165063: DName::operator+=.LIBCMT ref: 6D165079
    • DName::operator=.LIBCMT ref: 6D168120
      • Part of subcall function 6D164DD9: DName::doPchar.LIBVCRUNTIME ref: 6D164DFF
    • DName::DName.LIBCMT ref: 6D168178
    • DName::operator+.LIBCMT ref: 6D16817F
    • DName::operator+=.LIBCMT ref: 6D16818B
    • DName::operator+=.LIBCMT ref: 6D1681A1
    • DName::operator+=.LIBCMT ref: 6D1681AB
    • DName::DName.LIBCMT ref: 6D16825B
    • DName::DName.LIBCMT ref: 6D1682D5
    • DName::operator+.LIBCMT ref: 6D16855B
    • DName::operator=.LIBCMT ref: 6D1686A8
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: NameName::Name::operator+=$Name::operator+$Name::doName::operator=Pchar
    • String ID: `anonymous namespace'$`string'$operator
    • API String ID: 708493032-815891235
    • Opcode ID: 22f539411a57e758ebff7bc1b4eb0060a0a69273de94365a11afc4449887b864
    • Instruction ID: 5b00893a433257a9f97ccd387910228610b4947fb1159fc91236ed82465d107d
    • Opcode Fuzzy Hash: 22f539411a57e758ebff7bc1b4eb0060a0a69273de94365a11afc4449887b864
    • Instruction Fuzzy Hash: 4E0293B190818A9FDF05CF94D8A4AFDBBB8AB1B304F05441AD101E7299EBF5D562CB70
    Function 6D1666CF Relevance: 79.1, APIs: 20, Strings: 25, Instructions: 306COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 978 6d1666cf-6d1666e2 979 6d166a7b-6d166a88 call 6d16503f 978->979 980 6d1666e8-6d16670c 978->980 991 6d166a8b 979->991 981 6d16670e 980->981 982 6d16675c-6d16675f 980->982 984 6d166714-6d16671a 981->984 985 6d166965-6d16696d call 6d165205 981->985 987 6d166765 982->987 988 6d166958-6d166960 call 6d164dd9 982->988 989 6d166933-6d166951 call 6d1676ac 984->989 990 6d166720-6d166727 984->990 1002 6d166972-6d166975 985->1002 987->989 994 6d16676b-6d16676e 987->994 988->985 1008 6d16697b 989->1008 1014 6d166953 989->1014 990->989 995 6d166747-6d16674c 990->995 996 6d166755-6d16675a 990->996 997 6d166740-6d166745 990->997 998 6d16672e 990->998 999 6d16674e-6d166753 990->999 1001 6d166a8e-6d166a94 991->1001 1003 6d166774-6d166777 994->1003 1004 6d16692c-6d166931 994->1004 1005 6d166733-6d16673b call 6d164dd9 995->1005 996->1005 997->1005 998->1005 999->1005 1007 6d1668c2-6d1668da 1002->1007 1002->1008 1009 6d166922 1003->1009 1010 6d16677d-6d166780 1003->1010 1004->1002 1005->1008 1015 6d166a24-6d166a27 1007->1015 1016 6d1668e0-6d166908 call 6d1689f2 1007->1016 1011 6d16697e-6d166981 1008->1011 1009->1004 1010->989 1012 6d166786-6d166794 1010->1012 1017 6d1669c2-6d1669ca 1011->1017 1018 6d166983-6d166988 1011->1018 1019 6d16679a 1012->1019 1020 6d16683b-6d16683e 1012->1020 1022 6d166880-6d166888 1014->1022 1023 6d166a61-6d166a79 call 6d1689f2 1015->1023 1024 6d166a29-6d166a2c 1015->1024 1047 6d16691a-6d16691d 1016->1047 1048 6d16690a-6d166917 call 6d165205 1016->1048 1035 6d1669cf-6d1669e7 call 6d164a57 call 6d165063 1017->1035 1026 6d1669b3-6d1669c0 1018->1026 1027 6d16698a-6d16698c 1018->1027 1028 6d166834-6d166839 1019->1028 1029 6d1667a0-6d1667a3 1019->1029 1031 6d166840-6d166843 1020->1031 1032 6d1668bf-6d1668c1 1020->1032 1022->1001 1023->991 1033 6d166a2e-6d166a3e call 6d164dd9 1024->1033 1034 6d166a4f-6d166a52 1024->1034 1026->1035 1027->1026 1037 6d16698e-6d166990 1027->1037 1042 6d1667c4-6d1667cc call 6d164dd9 1028->1042 1038 6d1667a5-6d1667a8 1029->1038 1039 6d166810-6d166813 1029->1039 1043 6d1668b5-6d1668ba 1031->1043 1044 6d166845-6d166848 1031->1044 1032->1007 1033->1023 1071 6d166a40-6d166a4d call 6d165205 1033->1071 1034->1023 1040 6d166a54-6d166a5c call 6d164dd9 1034->1040 1077 6d1669ea-6d1669f0 1035->1077 1037->1026 1050 6d166992-6d166994 1037->1050 1051 6d1667aa-6d1667ac 1038->1051 1052 6d166809-6d16680e 1038->1052 1054 6d166815-6d166818 1039->1054 1055 6d16682d-6d166832 1039->1055 1040->1023 1042->1011 1043->1042 1057 6d16684a-6d16684d 1044->1057 1058 6d1668ab-6d1668b0 1044->1058 1047->1022 1048->1047 1050->1026 1063 6d166996-6d166999 1050->1063 1064 6d1667f3-6d166804 call 6d164e0b 1051->1064 1065 6d1667ae-6d1667b1 1051->1065 1052->1042 1066 6d166826-6d16682b 1054->1066 1067 6d16681a-6d16681d 1054->1067 1055->1042 1069 6d1668a1-6d1668a6 1057->1069 1070 6d16684f-6d166852 1057->1070 1058->1042 1063->1077 1078 6d16699b-6d1669a1 1063->1078 1064->1011 1079 6d1667b3-6d1667b9 1065->1079 1080 6d1667d1-6d1667ee call 6d1666cf call 6d16501b 1065->1080 1066->1042 1081 6d16681f-6d166824 1067->1081 1082 6d16688d-6d166892 1067->1082 1069->1042 1072 6d166897-6d16689c 1070->1072 1073 6d166854-6d16685a 1070->1073 1071->1023 1072->1042 1073->1082 1083 6d16685c-6d16687a call 6d1676ac 1073->1083 1086 6d166a14-6d166a22 1077->1086 1087 6d1669f2-6d166a0f call 6d1649de call 6d165063 call 6d16510d 1077->1087 1078->1026 1088 6d1669a3-6d1669a5 1078->1088 1079->1082 1089 6d1667bf 1079->1089 1080->991 1081->1042 1082->1042 1083->1011 1083->1022 1086->1001 1087->1086 1088->1026 1093 6d1669a7-6d1669a9 1088->1093 1089->1042 1093->1026 1097 6d1669ab-6d1669ad 1093->1097 1097->1026 1100 6d1669af-6d1669b1 1097->1100 1100->1026 1100->1077
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Name::operator=$Decorator::getName::operator+=Type$DataNameName::Name::operator+operator+
    • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $bool$char$char16_t$char32_t$const$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
    • API String ID: 845634455-3737837666
    • Opcode ID: 704a6d4a9be6f7de5201b6e26fe392cc2ecd003b5f20ce755fc2bec250207937
    • Instruction ID: e3d49d86e8bcb29f542b1117090472fb48c3a709ebb7e190991a616c1f4f9c35
    • Opcode Fuzzy Hash: 704a6d4a9be6f7de5201b6e26fe392cc2ecd003b5f20ce755fc2bec250207937
    • Instruction Fuzzy Hash: 0CA10775D481CEAECB04CEA8C994BBDB774AB25310F11C1DAE811A619DD7F089268BF1
    Function 6D15C131 Relevance: 36.2, APIs: 24, Instructions: 198COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6D15C19C
    • GetLastError.KERNEL32 ref: 6D15C1A9
    • Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 6D15C1CC
    • GetLastError.KERNEL32 ref: 6D15C1D6
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D15C1EC
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D15C374
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D15C382
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorLast$CompletionConcurrency::details::EventException@8ListThrow
    • String ID:
    • API String ID: 1281952151-0
    • Opcode ID: 92a6a6e9b802c39f670ff654d8f19a9c10cdd0ff91e7b3ad0c14298ee4b00aac
    • Instruction ID: 4f474fe3d49a5304f5ed93ca435b67f15dbe75d0d8cc3264b1dc56418fd14c5a
    • Opcode Fuzzy Hash: 92a6a6e9b802c39f670ff654d8f19a9c10cdd0ff91e7b3ad0c14298ee4b00aac
    • Instruction Fuzzy Hash: 2E6191F09043159BD720DFA6CE84BAFB7F8FB14340F50452DE156E6114E7B8EA108B60
    Function 6D1693BE Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 223COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • Replicator::operator[].LIBCMT ref: 6D169447
    • DName::operator=.LIBCMT ref: 6D16949C
    • UnDecorator::getTemplateConstant.LIBVCRUNTIME ref: 6D1694DF
    • UnDecorator::getSignedDimension.LIBCMT ref: 6D1694F5
    • DName::getString.LIBVCRUNTIME ref: 6D169519
    • DName::DName.LIBCMT ref: 6D169553
    • DName::operator+.LIBCMT ref: 6D16955A
    • DName::operator+=.LIBCMT ref: 6D169573
    • DName::DName.LIBCMT ref: 6D169593
    • DName::operator+.LIBCMT ref: 6D16959A
    • DName::operator+=.LIBCMT ref: 6D1695B3
    • Replicator::operator+=.LIBCMT ref: 6D169605
    • DName::operator+=.LIBCMT ref: 6D16961E
    • DName::operator+=.LIBCMT ref: 6D169629
    • DName::operator+=.LIBCMT ref: 6D169639
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Name::operator+=$Decorator::getNameName::Name::operator+$ConstantDimensionName::getName::operator=Replicator::operator+=Replicator::operator[]SignedStringTemplate
    • String ID: ...$`template-parameter$void
    • API String ID: 3395515206-2152273162
    • Opcode ID: a2912b34e606740a5a38bdc359bce834ab309933c3f7a348a702a5d63cf2d930
    • Instruction ID: 994e13cb6f7aa9ab83e8b736b0af6e3a2a2c2ef34ea47478b1fccfda082ae333
    • Opcode Fuzzy Hash: a2912b34e606740a5a38bdc359bce834ab309933c3f7a348a702a5d63cf2d930
    • Instruction Fuzzy Hash: EB81D171D082999FCF00CFA8D664BFDBBB9FB29304F05801AD510A724AD7F59916CBA0
    Function 6D147BDA Relevance: 30.2, APIs: 20, Instructions: 207timeregistryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 6D147BE1
    • Concurrency::SchedulerPolicy::SchedulerPolicy.LIBCMT ref: 6D147BFD
      • Part of subcall function 6D1509C1: new.LIBCMT ref: 6D1509C9
    • ListArray.LIBCONCRT ref: 6D147C34
      • Part of subcall function 6D147867: new.LIBCMT ref: 6D1478F3
      • Part of subcall function 6D147867: InitializeSListHead.KERNEL32(?,00000000,?,6D13F984), ref: 6D147933
      • Part of subcall function 6D147867: InitializeSListHead.KERNEL32(?), ref: 6D14793D
    • ListArray.LIBCONCRT ref: 6D147C68
      • Part of subcall function 6D14776E: new.LIBCMT ref: 6D1477FA
      • Part of subcall function 6D14776E: InitializeSListHead.KERNEL32(?,00000000,?,6D13F984), ref: 6D14783A
      • Part of subcall function 6D14776E: InitializeSListHead.KERNEL32(?), ref: 6D147844
    • Hash.LIBCMT ref: 6D147CD1
    • Hash.LIBCMT ref: 6D147CE1
    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 6D147D76
    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 6D147D83
    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 6D147D90
    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 6D147D9D
      • Part of subcall function 6D150A84: std::bad_exception::bad_exception.LIBCMT ref: 6D150AA8
      • Part of subcall function 6D150A84: __CxxThrowException@8.LIBVCRUNTIME ref: 6D150AB6
      • Part of subcall function 6D150A84: std::bad_exception::bad_exception.LIBCMT ref: 6D150B2F
      • Part of subcall function 6D150A84: __CxxThrowException@8.LIBVCRUNTIME ref: 6D150B3D
      • Part of subcall function 6D150A84: std::bad_exception::bad_exception.LIBCMT ref: 6D150BA2
      • Part of subcall function 6D150A84: __CxxThrowException@8.LIBVCRUNTIME ref: 6D150BC6
    • RegisterWaitForSingleObject.KERNEL32(?,00000000,6D14BB03,?,000000FF,00000000), ref: 6D147E25
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001,00001001), ref: 6D147E2F
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D147E45
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D147E53
    • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 6D147E70
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,6D1AE8E8,00000000), ref: 6D147E82
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D147E98
    • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 6D147EB8
    • GetLastError.KERNEL32(?,?,00000000,?,6D13F984), ref: 6D147EC4
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D147EDA
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: List$HeadInitialize$Exception@8Throw$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastTimerstd::bad_exception::bad_exception$ArrayHashRegisterScheduler$AsyncConcurrency::Concurrency::details::Concurrency::details::platform::__CreateH_prolog3LibraryLoadObjectPolicyPolicy::QueueSingleWait
    • String ID:
    • API String ID: 3209160469-0
    • Opcode ID: 7078ce3407b03356a74ae11e69c41d4a5e6b1a96e62f4e9f6441eec1436c8ca6
    • Instruction ID: e2105af8b0bfb639c12d12a142907744f6af7fe28963a154da1516156a666457
    • Opcode Fuzzy Hash: 7078ce3407b03356a74ae11e69c41d4a5e6b1a96e62f4e9f6441eec1436c8ca6
    • Instruction Fuzzy Hash: BF915DB0A15626EBD705CF75C844BDAFBA8BF09714F01821AE528D7284DBF4A524CBD0
    Function 6D189F39 Relevance: 25.9, APIs: 17, Instructions: 419COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: _free$EnvironmentVariable$___from_strstr_to_strchr
    • String ID:
    • API String ID: 254760748-0
    • Opcode ID: 5955b11d5558e90c63afc860324034a8751c977b96db81a2de0cdb1d42937129
    • Instruction ID: 7d376234bcabede8c617b85767f6b9fb74750a94005f51fcc0b47bf9c1097907
    • Opcode Fuzzy Hash: 5955b11d5558e90c63afc860324034a8751c977b96db81a2de0cdb1d42937129
    • Instruction Fuzzy Hash: 1DD124719487426FDB25DFB8D860F6A7BB5AF12314F02426EEA10972CAE7F29501CF50
    Function 6D15D4F9 Relevance: 24.2, APIs: 16, Instructions: 242COMMON
    Download Yara Rule
    APIs
    • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 6D15D51E
      • Part of subcall function 6D15D2FA: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 6D15D31C
    • Concurrency::details::SchedulerBase::PeriodicScan.LIBCMT ref: 6D15D53F
    • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 6D15D54C
    • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 6D15D59A
    • Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 6D15D629
    • Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 6D15D63C
    • Concurrency::details::WorkSearchContext::GetLocalRunnable.LIBCMT ref: 6D15D65C
    • Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 6D15D68A
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocalLocal_NextObjectPeriodicRunnableRunnablesScanSlot
    • String ID:
    • API String ID: 3403383939-0
    • Opcode ID: 7f7d54c2834c1de50e9e6e9238a68723e5e0a7405f5ac04738c8f167b5f9796b
    • Instruction ID: a3d5c6da24e71ae02a58035b9c86111cb91efb1553ee6f80029fcef1c3f90be1
    • Opcode Fuzzy Hash: 7f7d54c2834c1de50e9e6e9238a68723e5e0a7405f5ac04738c8f167b5f9796b
    • Instruction Fuzzy Hash: F99182B490424A9BDF02CF94D940BFE7BB2AF95308F004059ED716B259C7FA8836DB61
    Function 6D147BD3 Relevance: 24.2, APIs: 16, Instructions: 180timeregistryCOMMON
    Download Yara Rule
    APIs
    • Concurrency::SchedulerPolicy::SchedulerPolicy.LIBCMT ref: 6D147BFD
      • Part of subcall function 6D1509C1: new.LIBCMT ref: 6D1509C9
    • ListArray.LIBCONCRT ref: 6D147C34
      • Part of subcall function 6D147867: new.LIBCMT ref: 6D1478F3
      • Part of subcall function 6D147867: InitializeSListHead.KERNEL32(?,00000000,?,6D13F984), ref: 6D147933
      • Part of subcall function 6D147867: InitializeSListHead.KERNEL32(?), ref: 6D14793D
    • ListArray.LIBCONCRT ref: 6D147C68
      • Part of subcall function 6D14776E: new.LIBCMT ref: 6D1477FA
      • Part of subcall function 6D14776E: InitializeSListHead.KERNEL32(?,00000000,?,6D13F984), ref: 6D14783A
      • Part of subcall function 6D14776E: InitializeSListHead.KERNEL32(?), ref: 6D147844
    • Hash.LIBCMT ref: 6D147CD1
    • Hash.LIBCMT ref: 6D147CE1
    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 6D147D76
    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 6D147D83
    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 6D147D90
    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 6D147D9D
      • Part of subcall function 6D150A84: std::bad_exception::bad_exception.LIBCMT ref: 6D150AA8
      • Part of subcall function 6D150A84: __CxxThrowException@8.LIBVCRUNTIME ref: 6D150AB6
      • Part of subcall function 6D150A84: std::bad_exception::bad_exception.LIBCMT ref: 6D150B2F
      • Part of subcall function 6D150A84: __CxxThrowException@8.LIBVCRUNTIME ref: 6D150B3D
      • Part of subcall function 6D150A84: std::bad_exception::bad_exception.LIBCMT ref: 6D150BA2
      • Part of subcall function 6D150A84: __CxxThrowException@8.LIBVCRUNTIME ref: 6D150BC6
    • RegisterWaitForSingleObject.KERNEL32(?,00000000,6D14BB03,?,000000FF,00000000), ref: 6D147E25
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001,00001001), ref: 6D147E2F
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D147E45
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D147E53
    • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 6D147E70
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,6D1AE8E8,00000000), ref: 6D147E82
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D147E98
    • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 6D147EB8
    • GetLastError.KERNEL32(?,?,00000000,?,6D13F984), ref: 6D147EC4
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D147EDA
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: List$HeadInitialize$Exception@8Throw$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastTimerstd::bad_exception::bad_exception$ArrayHashRegisterScheduler$AsyncConcurrency::Concurrency::details::Concurrency::details::platform::__CreateLibraryLoadObjectPolicyPolicy::QueueSingleWait
    • String ID:
    • API String ID: 3226919913-0
    • Opcode ID: bd5a05c3c8b81947806e2b258a5180685ba15d01ee28446235e29cdc0fb66be0
    • Instruction ID: 334c64ee70546144114eab7f16ed50d687c23b20aed5b72d457145c74b781253
    • Opcode Fuzzy Hash: bd5a05c3c8b81947806e2b258a5180685ba15d01ee28446235e29cdc0fb66be0
    • Instruction Fuzzy Hash: C4814CB0A15B62ABD709CF75C844BD9FBA8BF09714F11831AE528D7284DBB4A164CBD0
    Function 6D168715 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 151COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Decorator::getNameName::Name::operator+=Name::operator=Typeoperator+
    • String ID: std::nullptr_t$volatile
    • API String ID: 1353475476-3726895890
    • Opcode ID: 8cdb3dbd89ece82d94055a5ee225c854ce9de068bff856418013bcc2410036d0
    • Instruction ID: ff046742e55e39dff624c68cbe35d823c51045790bd8573ee87d47111e993b90
    • Opcode Fuzzy Hash: 8cdb3dbd89ece82d94055a5ee225c854ce9de068bff856418013bcc2410036d0
    • Instruction Fuzzy Hash: A0511272908185ABCB09DF68D954AB93F7CFB2B300F008469E554962DED7F18662CB70
    Function 6D18C4B8 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: _free$Info
    • String ID:
    • API String ID: 2509303402-0
    • Opcode ID: c5d5b2375386e72b4654c3ee9b21bafa23373d1882418d383f3bd55caa6c7b77
    • Instruction ID: e6c34ff81e437ea50118d117312b32f9ae95a0811466196d0df169d8a01d88b9
    • Opcode Fuzzy Hash: c5d5b2375386e72b4654c3ee9b21bafa23373d1882418d383f3bd55caa6c7b77
    • Instruction Fuzzy Hash: 09B19D71D042069FDB11CF78C880BEEBBB6FF19304F104669F5A5A7266EBB598418F60
    Function 6D1628F8 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 270COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsInExceptionSpec.LIBVCRUNTIME ref: 6D1629FC
    • _GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 6D162A77
    • ___TypeMatch.LIBVCRUNTIME ref: 6D162AF5
    • IsInExceptionSpec.LIBVCRUNTIME ref: 6D162BA8
    • FindHandlerForForeignException.LIBVCRUNTIME ref: 6D162BF7
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D162C31
    • _UnwindNestedFrames.LIBCMT ref: 6D162C39
    • ___FrameUnwindToState.LIBVCRUNTIME ref: 6D162C45
    • CallUnexpected.LIBVCRUNTIME ref: 6D162C50
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Exception$SpecUnwind$CallCheckException@8FindForeignFrameFramesHandlerMatchNestedRangeStateThrowTrysTypeUnexpected
    • String ID: csm$csm$csm
    • API String ID: 3606550248-393685449
    • Opcode ID: b81bcb67d86c8b36832c7fd3db2f609a7372889312cbbbafc8d408981d410058
    • Instruction ID: 3120dbc98d9a9a214391d9418abe20e64fd6dfa2617c370b902edee4182ec16b
    • Opcode Fuzzy Hash: b81bcb67d86c8b36832c7fd3db2f609a7372889312cbbbafc8d408981d410058
    • Instruction Fuzzy Hash: 76B18D3180868AAFCF31CFA8C840AAEB7B4FF14314F15455DE91127658D7B59AA1CFB2
    Function 6D18C009 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___free_lconv_mon.LIBCMT ref: 6D18C04D
      • Part of subcall function 6D18C8A2: _free.LIBCMT ref: 6D18C8BF
      • Part of subcall function 6D18C8A2: _free.LIBCMT ref: 6D18C8D1
      • Part of subcall function 6D18C8A2: _free.LIBCMT ref: 6D18C8E3
      • Part of subcall function 6D18C8A2: _free.LIBCMT ref: 6D18C8F5
      • Part of subcall function 6D18C8A2: _free.LIBCMT ref: 6D18C907
      • Part of subcall function 6D18C8A2: _free.LIBCMT ref: 6D18C919
      • Part of subcall function 6D18C8A2: _free.LIBCMT ref: 6D18C92B
      • Part of subcall function 6D18C8A2: _free.LIBCMT ref: 6D18C93D
      • Part of subcall function 6D18C8A2: _free.LIBCMT ref: 6D18C94F
      • Part of subcall function 6D18C8A2: _free.LIBCMT ref: 6D18C961
      • Part of subcall function 6D18C8A2: _free.LIBCMT ref: 6D18C973
      • Part of subcall function 6D18C8A2: _free.LIBCMT ref: 6D18C985
      • Part of subcall function 6D18C8A2: _free.LIBCMT ref: 6D18C997
    • _free.LIBCMT ref: 6D18C042
      • Part of subcall function 6D17F672: HeapFree.KERNEL32(00000000,00000000,?,6D18119D,00000001,00000001), ref: 6D17F688
      • Part of subcall function 6D17F672: GetLastError.KERNEL32(02C15E31,?,6D18119D,00000001,00000001), ref: 6D17F69A
    • _free.LIBCMT ref: 6D18C064
    • _free.LIBCMT ref: 6D18C079
    • _free.LIBCMT ref: 6D18C084
    • _free.LIBCMT ref: 6D18C0A6
    • _free.LIBCMT ref: 6D18C0B9
    • _free.LIBCMT ref: 6D18C0C7
    • _free.LIBCMT ref: 6D18C0D2
    • _free.LIBCMT ref: 6D18C10A
    • _free.LIBCMT ref: 6D18C111
    • _free.LIBCMT ref: 6D18C12E
    • _free.LIBCMT ref: 6D18C146
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
    • String ID:
    • API String ID: 161543041-0
    • Opcode ID: 41482a1470b443f1779dbfe566ca88dff5a0d38acb4456cba09ab29a8193daca
    • Instruction ID: aa4265904ab7be717c7f9c9fa43c8a39b1478e5218e9e1c538b59d3ac8aabc79
    • Opcode Fuzzy Hash: 41482a1470b443f1779dbfe566ca88dff5a0d38acb4456cba09ab29a8193daca
    • Instruction Fuzzy Hash: CD317C716086069FEB208A78D840B6773FAFF11394F118619E169D7179EFB5A8408F64
    Function 6D18C9A0 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: 5ca77a68a38894f264af9c1c4b2950a84eac93b271c0e41ba8eb09a9897218ee
    • Instruction ID: 8045f0336bab7348e677cc4eac21a0994a40beb3c7d8f4ff5b15cb6cced09e3a
    • Opcode Fuzzy Hash: 5ca77a68a38894f264af9c1c4b2950a84eac93b271c0e41ba8eb09a9897218ee
    • Instruction Fuzzy Hash: 5FC17672E44205AFDB20CFA8CC41FEE77F9AB49704F154265FA15FB289D6B099408F64
    Function 6D15049F Relevance: 18.1, APIs: 12, Instructions: 127COMMON
    Download Yara Rule
    APIs
    • Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 6D1504C5
      • Part of subcall function 6D13F9A6: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 6D148F31
    • Concurrency::details::ContextBase::PushStructured.LIBCONCRT ref: 6D1504D1
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D1504EF
    • Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 6D15051B
    • Concurrency::details::ContextBase::PushStructured.LIBCONCRT ref: 6D15052A
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D150548
      • Part of subcall function 6D1617DD: RaiseException.KERNEL32(?,?,?,6D13F47B,00000000,0000006F,00000000,?,?,?,?,?,6D13F47B,?,6D1AE250), ref: 6D16183C
    • __EH_prolog3_catch.LIBCMT ref: 6D150555
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D150575
      • Part of subcall function 6D14FB62: Concurrency::event::wait.LIBCONCRT ref: 6D14FB78
    • Concurrency::details::_TaskCollection::_Alias.LIBCMT ref: 6D15057D
    • new.LIBCMT ref: 6D1505AE
    • Concurrency::details::ContextBase::PushUnstructured.LIBCONCRT ref: 6D1505DD
    • Concurrency::details::ContextBase::PushUnstructured.LIBCONCRT ref: 6D15060B
      • Part of subcall function 6D14D6D2: Concurrency::details::ContextBase::CreateWorkQueue.LIBCMT ref: 6D14D6E2
      • Part of subcall function 6D14D6D2: WorkStealingQueue.LIBCMT ref: 6D14D6F0
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Base::Concurrency::details::$Context$PushScheduler$Exception@8Throw$CurrentQueueStructuredUnstructuredWork$AliasCollection::_Concurrency::details::_Concurrency::event::waitCreateDefaultExceptionH_prolog3_catchRaiseStealingTask
    • String ID:
    • API String ID: 2449566001-0
    • Opcode ID: d09a97c742131321900154e6e04f40121eb472a794ad04a9f33a96d9f5c0d287
    • Instruction ID: d74a61b86bfdefd840025b22f5a6609b274807fc8a2059981df7ba625443fe89
    • Opcode Fuzzy Hash: d09a97c742131321900154e6e04f40121eb472a794ad04a9f33a96d9f5c0d287
    • Instruction Fuzzy Hash: 02411B71804609AFCB10DFA6C440A6DF7B4FF44318F01C52EDA6A97648DBF4A961CF91
    Function 6D14B285 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103threadCOMMON
    Download Yara Rule
    APIs
    • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCMT ref: 6D14B2DB
    • SwitchToThread.KERNEL32 ref: 6D14B301
    • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCMT ref: 6D14B31C
    • Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 6D14B33B
    • Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 6D14B346
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D14B36B
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D14B379
    • Concurrency::details::_NonReentrantLock::_Acquire.LIBCMT ref: 6D14B38A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$AcquireBase::Concurrency::details::_ContextException@8InternalLock::_MarkOversubscribedProcProcessor::ReentrantResetRetirementSwitchThreadThrowstd::invalid_argument::invalid_argument
    • String ID: count$ppVirtualProcessorRoots
    • API String ID: 1074881879-3650809737
    • Opcode ID: a0aedbb5cf3e57036ce4e7e84de47a3b53588fc93ab1ff04e9b3ba2bac3e319a
    • Instruction ID: 99c737c3eace2a2cb8f670bfb0505aaa0400a93e31fba9bb8d4a7dc6bddd535e
    • Opcode Fuzzy Hash: a0aedbb5cf3e57036ce4e7e84de47a3b53588fc93ab1ff04e9b3ba2bac3e319a
    • Instruction Fuzzy Hash: 67313671A082059FCF04DF59C5A0BBD73B9BF59314F0280A9DA11AB349CBF4AE02CB91
    Function 6D13AB22 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 100libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryW.KERNEL32(?), ref: 6D13ABB6
    • IsDebuggerPresent.KERNEL32 ref: 6D13ABC2
    • GetProcAddress.KERNEL32(00000000,?), ref: 6D13ABD6
    • IsDebuggerPresent.KERNEL32 ref: 6D13ABE1
    • GetCurrentProcess.KERNEL32(?), ref: 6D13ABF3
    • FreeLibrary.KERNEL32(00000000), ref: 6D13AC09
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: DebuggerLibraryPresent$AddressCurrentFreeLoadProcProcess
    • String ID: P$g$s$t
    • API String ID: 3962861327-3606143063
    • Opcode ID: 98c62530e082eb4c4ecd97e96b7546347523b8eb113e5e34fd7a66e2bfde91f9
    • Instruction ID: 8ccc7f2d72b9a57f877bb9175548cde97c6891cce80f36701cf49ccf1b742e4b
    • Opcode Fuzzy Hash: 98c62530e082eb4c4ecd97e96b7546347523b8eb113e5e34fd7a66e2bfde91f9
    • Instruction Fuzzy Hash: F031AF21D5839D9EEF01CBF8A855BFEBB74AF1A700F01541AE900E7254E7B08A44C765
    Function 6D154A8F Relevance: 16.6, APIs: 11, Instructions: 127memoryCOMMON
    Download Yara Rule
    APIs
    • Concurrency::details::SchedulerBase::RemovePrioritizedObject.LIBCMT ref: 6D154AA8
      • Part of subcall function 6D14B223: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 6D14B233
      • Part of subcall function 6D14B223: List.LIBCMT ref: 6D14B248
    • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedClear.LIBCONCRT ref: 6D154ABB
      • Part of subcall function 6D15474F: Concurrency::details::QuickBitSet::SpinUntilSet.LIBCMT ref: 6D154769
    • Concurrency::details::SchedulerBase::SaveRetiredVirtualProcessorStatistics.LIBCMT ref: 6D154AE3
    • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedClear.LIBCONCRT ref: 6D154AFC
    • StructuredWorkStealingQueue.LIBCMT ref: 6D154B17
    • Concurrency::location::_Assign.LIBCMT ref: 6D154B3E
    • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 6D154B46
    • StructuredWorkStealingQueue.LIBCMT ref: 6D154B56
    • Concurrency::details::VirtualProcessor::TraceVirtualProcessorEvent.LIBCMT ref: 6D154BBD
    • Concurrency::details::SchedulerBase::ReturnSubAllocator.LIBCONCRT ref: 6D154BCB
    • ListArray.LIBCONCRT ref: 6D154BE1
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::$Base::$QuickSchedulerSet::Virtual$ClearCountedInterlockedListProcessorQueueReferenceStealingStructuredWork$AcquireAllocatorArrayAssignConcurrency::details::_Concurrency::location::_ContextEventGroupLock::_ObjectPrioritizedProcessor::ReaderRemoveRetiredReturnRunnableSaveScheduleSegmentSpinStatisticsTraceUntilWriteWriter
    • String ID:
    • API String ID: 1433224942-0
    • Opcode ID: 92046a0ef4fd6e62f13ac54383000ceffcfc52af0721e533acb790fed235d778
    • Instruction ID: b3eb1f19d0aa26badf52506d7a3bbbbb527eb3824662fd0f05f003811e696fae
    • Opcode Fuzzy Hash: 92046a0ef4fd6e62f13ac54383000ceffcfc52af0721e533acb790fed235d778
    • Instruction Fuzzy Hash: 01412AB56082019FCB09DF68C8D0B2977A6BF89218F154099DE168F35ACBB5AC21CB50
    Function 6D154A8D Relevance: 16.6, APIs: 11, Instructions: 126memoryCOMMON
    Download Yara Rule
    APIs
    • Concurrency::details::SchedulerBase::RemovePrioritizedObject.LIBCMT ref: 6D154AA8
      • Part of subcall function 6D14B223: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 6D14B233
      • Part of subcall function 6D14B223: List.LIBCMT ref: 6D14B248
    • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedClear.LIBCONCRT ref: 6D154ABB
      • Part of subcall function 6D15474F: Concurrency::details::QuickBitSet::SpinUntilSet.LIBCMT ref: 6D154769
    • Concurrency::details::SchedulerBase::SaveRetiredVirtualProcessorStatistics.LIBCMT ref: 6D154AE3
    • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedClear.LIBCONCRT ref: 6D154AFC
    • StructuredWorkStealingQueue.LIBCMT ref: 6D154B17
    • Concurrency::location::_Assign.LIBCMT ref: 6D154B3E
    • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 6D154B46
    • StructuredWorkStealingQueue.LIBCMT ref: 6D154B56
    • Concurrency::details::VirtualProcessor::TraceVirtualProcessorEvent.LIBCMT ref: 6D154BBD
    • Concurrency::details::SchedulerBase::ReturnSubAllocator.LIBCONCRT ref: 6D154BCB
    • ListArray.LIBCONCRT ref: 6D154BE1
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::$Base::$QuickSchedulerSet::Virtual$ClearCountedInterlockedListProcessorQueueReferenceStealingStructuredWork$AcquireAllocatorArrayAssignConcurrency::details::_Concurrency::location::_ContextEventGroupLock::_ObjectPrioritizedProcessor::ReaderRemoveRetiredReturnRunnableSaveScheduleSegmentSpinStatisticsTraceUntilWriteWriter
    • String ID:
    • API String ID: 1433224942-0
    • Opcode ID: 737f08d260753615486fc7c993cbe56d9dd224d3270aa54b604d9831181dc1a9
    • Instruction ID: 19fa9c24d0bbe31f42a08639f87718b978164268a0576da70302760ef0425ecd
    • Opcode Fuzzy Hash: 737f08d260753615486fc7c993cbe56d9dd224d3270aa54b604d9831181dc1a9
    • Instruction Fuzzy Hash: 1B412AB56082019FCB09DF68C8D1B2977A6BF89218F154099EE168F35ACBB5AD21CB50
    Function 6D15AF79 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 102threadCOMMON
    Download Yara Rule
    APIs
    • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 6D15AFA2
    • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 6D15AFAD
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D15AFBC
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D15AFCA
    • Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 6D15B02F
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D15B071
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D15B07F
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleProxy::ResetSuspendThread
    • String ID: pContext$switchState
    • API String ID: 1615543006-2660820399
    • Opcode ID: 10847e9a8408c8d65fd093155a843d1168a286066d06739b2a80078ae7970004
    • Instruction ID: 1ea6a4ce92826954c6567444d2e7676d41d6a41098dd4bf8ffb6883fa7cff8d1
    • Opcode Fuzzy Hash: 10847e9a8408c8d65fd093155a843d1168a286066d06739b2a80078ae7970004
    • Instruction Fuzzy Hash: 123128BAA042195FCF06DF64C840E7D7376AF94324F128256ED349B249DBF5ED2186E0
    Function 6D13D797 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D13D7A3
      • Part of subcall function 6D13D2F2: std::exception::exception.LIBCONCRT ref: 6D13D2FF
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D13D7B1
      • Part of subcall function 6D1617DD: RaiseException.KERNEL32(?,?,?,6D13F47B,00000000,0000006F,00000000,?,?,?,?,?,6D13F47B,?,6D1AE250), ref: 6D16183C
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D13D7C3
      • Part of subcall function 6D13D334: std::exception::exception.LIBCONCRT ref: 6D13D341
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D13D7D1
    • std::regex_error::regex_error.LIBCPMT ref: 6D13D7E3
      • Part of subcall function 6D13D37F: std::exception::exception.LIBCONCRT ref: 6D13D397
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D13D7F1
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D13D803
      • Part of subcall function 6D13D3D0: std::exception::exception.LIBCONCRT ref: 6D13D3DD
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D13D811
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Exception@8Throwstd::exception::exception$std::invalid_argument::invalid_argument$ExceptionRaisestd::regex_error::regex_error
    • String ID: bad function call
    • API String ID: 2570946744-3612616537
    • Opcode ID: 60378a195675bff609a47f86f79e1f33df1be0dc1f289b9f482c1157bd34310b
    • Instruction ID: 699a730894d3db788fbe8de9afd656ca020f2b7fbec92371bcffa22509947ac5
    • Opcode Fuzzy Hash: 60378a195675bff609a47f86f79e1f33df1be0dc1f289b9f482c1157bd34310b
    • Instruction Fuzzy Hash: 6D01FF7AC0425C77CB08EAE5DC49CDD777CAE14104F814860AB24D2899EBF0AB698AD5
    Function 6D182BFF Relevance: 15.1, APIs: 10, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 6D182C13
      • Part of subcall function 6D17F672: HeapFree.KERNEL32(00000000,00000000,?,6D18119D,00000001,00000001), ref: 6D17F688
      • Part of subcall function 6D17F672: GetLastError.KERNEL32(02C15E31,?,6D18119D,00000001,00000001), ref: 6D17F69A
    • _free.LIBCMT ref: 6D182C1F
    • _free.LIBCMT ref: 6D182C2A
    • _free.LIBCMT ref: 6D182C35
    • _free.LIBCMT ref: 6D182C40
    • _free.LIBCMT ref: 6D182C4B
    • _free.LIBCMT ref: 6D182C56
    • _free.LIBCMT ref: 6D182C61
    • _free.LIBCMT ref: 6D182C6C
    • _free.LIBCMT ref: 6D182C7A
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 895a3428f0429fbe0b9bc41b5f81908ce231d3e1d6cb78555c12bc5b9e7c9644
    • Instruction ID: 670939e3c57b914fd74e6c340f6105d7423735f7e39b9abacba058931a8bf381
    • Opcode Fuzzy Hash: 895a3428f0429fbe0b9bc41b5f81908ce231d3e1d6cb78555c12bc5b9e7c9644
    • Instruction Fuzzy Hash: 3511A276504108AFCB11DF94C851DDA3BA6FF09294B1240A1FA588F235EBB1EB509F90
    Function 6D15C8D5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99threadCOMMON
    Download Yara Rule
    APIs
    • Concurrency::details::UMSThreadProxy::InternalSwitchOut.LIBCONCRT ref: 6D15C8E7
      • Part of subcall function 6D15C53C: Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 6D15C588
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D15C8FA
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D15C908
    • Concurrency::details::UMSThreadProxy::InternalSwitchTo.LIBCONCRT ref: 6D15C9A9
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::$InternalProxy::SwitchThread$CompletionCreateException@8ListThrowstd::invalid_argument::invalid_argument
    • String ID: pContext$switchState
    • API String ID: 2757435043-2660820399
    • Opcode ID: 9959a1858a8e8e0f39b28bfb837b657189aac0690176dde6c61c73ef15fe4b15
    • Instruction ID: 18be4e846a2e0b12ae8e1b6da7533155d63d2c3616d35b44c21fcfc9a1714643
    • Opcode Fuzzy Hash: 9959a1858a8e8e0f39b28bfb837b657189aac0690176dde6c61c73ef15fe4b15
    • Instruction Fuzzy Hash: 073144B6A006199BCF04DF78CC4092DB3B6BF96224B024255E930D739DDBB4EE21CB91
    Function 6D1463F6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 71COMMON
    Download Yara Rule
    APIs
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D146428
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D146436
    • __EH_prolog3.LIBCMT ref: 6D146443
    • Concurrency::details::_NonReentrantLock::_Acquire.LIBCMT ref: 6D146461
    • SetEvent.KERNEL32(?), ref: 6D1464B9
    • Concurrency::details::ResourceManager::~ResourceManager.LIBCONCRT ref: 6D1464CD
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Resource$AcquireConcurrency::details::Concurrency::details::_EventException@8H_prolog3Lock::_ManagerManager::~ReentrantThrowstd::invalid_argument::invalid_argument
    • String ID: pScheduler$version
    • API String ID: 2013307433-3154422776
    • Opcode ID: a2fd4d5e8f73cb320fd9c86d42c1d126e14dce44fe3c49b1efa0765557389168
    • Instruction ID: ab9a7891c71864f2604f8c74159186fa592d9a47793f8188c41bf216dfb50894
    • Opcode Fuzzy Hash: a2fd4d5e8f73cb320fd9c86d42c1d126e14dce44fe3c49b1efa0765557389168
    • Instruction Fuzzy Hash: CA21047080921DABCF08EF74D8047ACB770BB15328F26C32DE224965D9CBF45952CB81
    Function 6D1545A1 Relevance: 13.6, APIs: 9, Instructions: 123COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCMT ref: 6D154645
      • Part of subcall function 6D15456A: Hash.LIBCMT ref: 6D15457C
    • Concurrency::details::QuickBitSet::Grow.LIBCMT ref: 6D15465E
    • Concurrency::details::QuickBitSet::Wipe.LIBCMT ref: 6D154665
    • Concurrency::details::WorkSearchContext::Reset.LIBCONCRT ref: 6D154697
    • Concurrency::location::location.LIBCMT ref: 6D1546BE
    • Concurrency::location::_Assign.LIBCMT ref: 6D1546CA
    • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedSet.LIBCONCRT ref: 6D1546DC
    • Concurrency::details::SchedulerBase::ClearQuickCacheSlot.LIBCMT ref: 6D1546E4
    • Concurrency::details::VirtualProcessor::TraceVirtualProcessorEvent.LIBCMT ref: 6D15470B
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::$Quick$Set::$Base::SchedulerVirtual$AssignCacheClearConcurrency::location::_Concurrency::location::locationContext::CountedEventGrowHashInterlockedMaskProcessorProcessor::ReferenceResetResourceSearchSlotTraceWipeWork
    • String ID:
    • API String ID: 1705074776-0
    • Opcode ID: 58403573e0dfd6a9440015f4438fab36fea65732678336d76eae93c01e82f8e6
    • Instruction ID: f4383a105e7b70852d43ba04ac3b9c56423770c435228a6668981d7f0d999473
    • Opcode Fuzzy Hash: 58403573e0dfd6a9440015f4438fab36fea65732678336d76eae93c01e82f8e6
    • Instruction Fuzzy Hash: 74410DB56042109FCB09DF18C4D0A697BA5FF48314F1981AAED19DF35ACB74AD11CF94
    Function 6D15B86A Relevance: 13.6, APIs: 9, Instructions: 74COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 6D15B878
    • GetLastError.KERNEL32(00000000), ref: 6D15B882
    • Concurrency::details::UMS::GetUmsCompletionListEvent.LIBCONCRT ref: 6D15B894
    • GetLastError.KERNEL32(00000000), ref: 6D15B89F
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D15B8FD
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D15B90B
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: CompletionConcurrency::details::ErrorLastList$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateEventException@8Throw
    • String ID:
    • API String ID: 3486435800-0
    • Opcode ID: d603a9dd9f87e5ad5d39f139f6c1c5510b89572eb64b635d6cd2db45bc1b23a0
    • Instruction ID: 4d4e9c8ecefcf3500752353421a828e2ca84523a44a94bfed2cc949d6396fced
    • Opcode Fuzzy Hash: d603a9dd9f87e5ad5d39f139f6c1c5510b89572eb64b635d6cd2db45bc1b23a0
    • Instruction Fuzzy Hash: A611B2B560470766A7216A779E18F7B3BFCFA9265030045ADF931D1508EBE8E025C771
    Function 6D184399 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 274COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D182E35: GetLastError.KERNEL32(?,?,6D18ADD5,?,?,?,?,6D18B2B9,?,?,?,?,?,00000001,?,6D1B12C0), ref: 6D182E39
      • Part of subcall function 6D182E35: _free.LIBCMT ref: 6D182E6C
      • Part of subcall function 6D182E35: SetLastError.KERNEL32(00000000,?,?,?,?,00000001,?,6D1B12C0,00000014,6D188F46,00000000,?,?,?,?), ref: 6D182EAD
      • Part of subcall function 6D182E35: _abort.LIBCMT ref: 6D182EB3
    • _memcmp.LIBVCRUNTIME ref: 6D184643
    • _free.LIBCMT ref: 6D1846B4
    • _free.LIBCMT ref: 6D1846CD
    • _free.LIBCMT ref: 6D1846FF
    • _free.LIBCMT ref: 6D184708
    • _free.LIBCMT ref: 6D184714
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: _free$ErrorLast$_abort_memcmp
    • String ID: C
    • API String ID: 1679612858-1037565863
    • Opcode ID: f0891f8c95d028cbd1a14e457a2149d5179a279183179642f649b1b4b245ee21
    • Instruction ID: da54904fc8b4f231dcf8feca2cdc18e2208e789c4499dac7833a73c66466bff1
    • Opcode Fuzzy Hash: f0891f8c95d028cbd1a14e457a2149d5179a279183179642f649b1b4b245ee21
    • Instruction Fuzzy Hash: 8EC16D7590521ADFDB24CF18C884BADB7B9FF19304F1181AAE949A7355DBB0AE80CF40
    Function 6D163DD8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 72COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • FindCompleteObject.LIBCMT ref: 6D163DF9
    • FindSITargetTypeInstance.LIBVCRUNTIME ref: 6D163E1D
    • FindMITargetTypeInstance.LIBVCRUNTIME ref: 6D163E32
      • Part of subcall function 6D16392B: PMDtoOffset.LIBCMT ref: 6D1639F5
    • FindVITargetTypeInstance.LIBVCRUNTIME ref: 6D163E39
    • PMDtoOffset.LIBCMT ref: 6D163E4A
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D163E84
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Find$InstanceTargetType$Offset$CompleteException@8ObjectThrow
    • String ID: Bad dynamic_cast!
    • API String ID: 836103879-2956939130
    • Opcode ID: e0e6bb0b64442627acf1c071b915bafc14703d73497bf728f662bcec01d71aa2
    • Instruction ID: ff4800271c2d13d63477f0bc4f3704c741e1268fdeb53a47ff5a0b04dbc76e2e
    • Opcode Fuzzy Hash: e0e6bb0b64442627acf1c071b915bafc14703d73497bf728f662bcec01d71aa2
    • Instruction Fuzzy Hash: 2821E772944285AFDB01CFA8DD44ABE7B78EF49710F1A4409F91097289DBB5D922CB70
    Function 6D15F378 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 6D15F37F
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000014,6D15F0A7,?,?,?,00000004,?,6D1AE2A4), ref: 6D15F3F5
    • GetLastError.KERNEL32 ref: 6D15F402
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D15F418
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D15F426
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6D15F42F
    • GetLastError.KERNEL32 ref: 6D15F43C
    • Concurrency::details::UMSFreeVirtualProcessorRoot::CreatePrimary.LIBCONCRT ref: 6D15F44A
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Create$ErrorEventLast$Concurrency::details::Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8FreeH_prolog3PrimaryProcessorRoot::ThrowVirtual
    • String ID:
    • API String ID: 3027012611-0
    • Opcode ID: eb3cd0c1d19091f7fcae148a640ab0cf0dd4740abedc264b545317a50b56b4ce
    • Instruction ID: 304fc5eb6fb0e8bccf313eb47da72bef2ac2c35e8813b9f67f8b7b1f548d135c
    • Opcode Fuzzy Hash: eb3cd0c1d19091f7fcae148a640ab0cf0dd4740abedc264b545317a50b56b4ce
    • Instruction Fuzzy Hash: 7121B3F0600657EFDB018FB6C984AAAFBB8FF153447444029E134D7619D7B8D421CBA1
    Function 6D141934 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___crtCreateEventExW.LIBCPMT ref: 6D14194E
    • GetLastError.KERNEL32(?,?,?,?,?,6D13F984), ref: 6D14195A
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D141976
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D141984
    • ___crtCreateEventExW.LIBCPMT ref: 6D1419A6
    • GetLastError.KERNEL32 ref: 6D1419B2
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D1419CE
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D1419DC
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
    • String ID:
    • API String ID: 200240550-0
    • Opcode ID: b8d5d155c91510bee1e73139d7fac147882f0b125202fcdee58490cb3243bc19
    • Instruction ID: 7c6d592c62ba246b59b7a3af238f6f1e17597b38fd194dc989adca131368afab
    • Opcode Fuzzy Hash: b8d5d155c91510bee1e73139d7fac147882f0b125202fcdee58490cb3243bc19
    • Instruction Fuzzy Hash: C4110C61B4825A65E710EAB1CD06F7F37ACA710608F54C955FA5CD90CAFBD0D5504262
    Function 6D1956F6 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
    Download Yara Rule
    APIs
    • GetCPInfo.KERNEL32(031DCF48,031DCF48,?,7FFFFFFF,?,?,6D1959CF,031DCF48,031DCF48,?,031DCF48,?,?,?,?,031DCF48), ref: 6D1957A2
    • MultiByteToWideChar.KERNEL32(031DCF48,00000009,031DCF48,031DCF48,00000000,00000000,?,6D1959CF,031DCF48,031DCF48,?,031DCF48,?,?,?,?), ref: 6D195825
    • MultiByteToWideChar.KERNEL32(031DCF48,00000001,031DCF48,031DCF48,00000000,6D1959CF,?,6D1959CF,031DCF48,031DCF48,?,031DCF48,?,?,?,?), ref: 6D1958B8
    • MultiByteToWideChar.KERNEL32(031DCF48,00000009,031DCF48,031DCF48,00000000,00000000,?,6D1959CF,031DCF48,031DCF48,?,031DCF48,?,?,?,?), ref: 6D1958CF
      • Part of subcall function 6D181CB6: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,6D19398A,00000001,00000000,?,6D18A7C9,00000001,00000004,00000000,00000001,?,?,6D181278), ref: 6D181CE8
    • MultiByteToWideChar.KERNEL32(031DCF48,00000001,031DCF48,031DCF48,00000000,031DCF48,?,6D1959CF,031DCF48,031DCF48,?,031DCF48,?,?,?,?), ref: 6D19594B
    • __freea.LIBCMT ref: 6D195976
    • __freea.LIBCMT ref: 6D195982
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ByteCharMultiWide$__freea$AllocHeapInfo
    • String ID:
    • API String ID: 2171645-0
    • Opcode ID: 9dfda7961aca2ad8aba80fd99f88ba1f9f32b93d149b985f9d385d2ac0580898
    • Instruction ID: c203433aecd38f5f4cb38e99dd0c8dfb3d9d42b4eac25fd293aadb8eae163095
    • Opcode Fuzzy Hash: 9dfda7961aca2ad8aba80fd99f88ba1f9f32b93d149b985f9d385d2ac0580898
    • Instruction Fuzzy Hash: 6F91EF72E18216DFFB148EB4C890AFEBBB5AB19325F554119E914FF248D7B4C9408BA0
    Function 6D18CE00 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: a925afe7e3a21bf241dfa39486abe16fda9f391089a26ff265b3628d238f231b
    • Instruction ID: 35b3de4e24c93b89cdfe4ab8da49d080608b4b3b4bb05a80ecd4e57c6a843aab
    • Opcode Fuzzy Hash: a925afe7e3a21bf241dfa39486abe16fda9f391089a26ff265b3628d238f231b
    • Instruction Fuzzy Hash: 3961F871D08205AFEB10CF68C841B9ABBF6FF05710F15426AEA54EB259EBF09941CF90
    Function 6D18AB7D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,6D18B2F2,?,?,?,?,?,?), ref: 6D18ABBF
    • __fassign.LIBCMT ref: 6D18AC3A
    • __fassign.LIBCMT ref: 6D18AC55
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 6D18AC7B
    • WriteFile.KERNEL32(?,?,00000000,6D18B2F2,00000000,?,?,?,?,?,?,?,?,?,6D18B2F2,?), ref: 6D18AC9A
    • WriteFile.KERNEL32(?,?,00000001,6D18B2F2,00000000,?,?,?,?,?,?,?,?,?,6D18B2F2,?), ref: 6D18ACD3
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
    • String ID:
    • API String ID: 1324828854-0
    • Opcode ID: ec6da7d659a75f2b134900952118324c3b5e339848632b931d950d444d6c8b6a
    • Instruction ID: 04e69617250d85d80d97cfb2679e61a1634a281f93e5fd60ac2aec629bff0979
    • Opcode Fuzzy Hash: ec6da7d659a75f2b134900952118324c3b5e339848632b931d950d444d6c8b6a
    • Instruction Fuzzy Hash: BF5172B1A002499FDF10CFA8D891FEEBBB8EF19300F15411AE555E7296E7B0A941CF61
    Function 6D150A84 Relevance: 10.6, APIs: 7, Instructions: 145COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • std::bad_exception::bad_exception.LIBCMT ref: 6D150AA8
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D150AB6
    • std::bad_exception::bad_exception.LIBCMT ref: 6D150B2F
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D150B3D
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Exception@8Throwstd::bad_exception::bad_exception
    • String ID:
    • API String ID: 953301-0
    • Opcode ID: afc0fe2f0a7826ad40a65a9c930d958ddb25966ac9a44234efd5fdf0c409d100
    • Instruction ID: 5748663999c15169588feaf11c8ae88e8a7596cf2efabda2b07ab2b5974fcb5c
    • Opcode Fuzzy Hash: afc0fe2f0a7826ad40a65a9c930d958ddb25966ac9a44234efd5fdf0c409d100
    • Instruction Fuzzy Hash: E14139B6A0C108AFCB04DBD6DC84DAEB36CEF5122CB11805AF6249B159DFF56D60C690
    Function 6D1988DF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Exception$Ptr::__$H_prolog3_catchreset
    • String ID: csm
    • API String ID: 3607929194-1018135373
    • Opcode ID: 97bd48071dd881f872f3f956d9ed50d644deca330384d3d906850ada6b060edf
    • Instruction ID: 831a73bf3c2b5308af931b29ed87feaaffe0fad80a652c584cff6f10488465c1
    • Opcode Fuzzy Hash: 97bd48071dd881f872f3f956d9ed50d644deca330384d3d906850ada6b060edf
    • Instruction Fuzzy Hash: 313136B0D092599FDF05CFA8C990AEDBFF4AF59208F054059E911AF388D7B48A05CBA1
    Function 6D18D441 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 6D18D10A: _free.LIBCMT ref: 6D18D133
    • _free.LIBCMT ref: 6D18D48F
      • Part of subcall function 6D17F672: HeapFree.KERNEL32(00000000,00000000,?,6D18119D,00000001,00000001), ref: 6D17F688
      • Part of subcall function 6D17F672: GetLastError.KERNEL32(02C15E31,?,6D18119D,00000001,00000001), ref: 6D17F69A
    • _free.LIBCMT ref: 6D18D49A
    • _free.LIBCMT ref: 6D18D4A5
    • _free.LIBCMT ref: 6D18D4F9
    • _free.LIBCMT ref: 6D18D504
    • _free.LIBCMT ref: 6D18D50F
    • _free.LIBCMT ref: 6D18D51A
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: b1ed28b53a87df3611c3bd7e5bc77d8ce3ac158bf886f165cb9698fefb6b5f67
    • Instruction ID: 9dbdf2a727029b0cf3d8427c0aa786fae9f8a5bedd301be95b15b406e147d8c1
    • Opcode Fuzzy Hash: b1ed28b53a87df3611c3bd7e5bc77d8ce3ac158bf886f165cb9698fefb6b5f67
    • Instruction Fuzzy Hash: 1A1184B2644B04BED630F771CC05FCB779DAF40705F414817B7AAA6069DBA4B9048F90
    Function 6D16400D Relevance: 10.5, APIs: 7, Instructions: 48COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(00000001,00000000,6D1621B1,6D13E895,6D13DFE3,?,6D13E1E0,?,00000001,?,?,00000001,?,6D1AE4A0,0000000C,6D13E2F2), ref: 6D16401B
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D164029
    • SetLastError.KERNEL32(00000000,6D13E1E0,?,00000001,?,?,00000001,?,6D1AE4A0,0000000C,6D13E2F2,?,00000001,?), ref: 6D164036
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$Value___vcrt_
    • String ID:
    • API String ID: 483936075-0
    • Opcode ID: 42c3de25a5cb76136d1d4941669846709beb7830310318581953d1e663056e89
    • Instruction ID: 2a21db563820843c22883d97a3b3a86cab9b2134a3201f5933da56d8559c543b
    • Opcode Fuzzy Hash: 42c3de25a5cb76136d1d4941669846709beb7830310318581953d1e663056e89
    • Instruction Fuzzy Hash: D8F0F43A50DA7197963212B9F8287AF2670AB9BBB67160114F501D6188DFE4881292F1
    Function 6D164370 Relevance: 9.3, APIs: 6, Instructions: 275COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _ValidateScopeTableHandlers.LIBCMT ref: 6D164480
    • __FindPESection.LIBCMT ref: 6D16449A
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: FindHandlersScopeSectionTableValidate
    • String ID:
    • API String ID: 876702719-0
    • Opcode ID: 939da3d7d0c8805027a84e36440e38a848d35ac8e62d3b7c7deaf6019c112af4
    • Instruction ID: 54e24adc70a0d4573ed413f259148d9deeb458446e2eff93916bb622cf95226c
    • Opcode Fuzzy Hash: 939da3d7d0c8805027a84e36440e38a848d35ac8e62d3b7c7deaf6019c112af4
    • Instruction Fuzzy Hash: ADA1C071A082568FDB01CF68D9A07ADB7B4FB5D310F154229D914AB399E7B1EC21CBA0
    Function 6D1807DE Relevance: 9.2, APIs: 6, Instructions: 217COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 6D18086E
    • _free.LIBCMT ref: 6D180888
    • _free.LIBCMT ref: 6D180893
    • _free.LIBCMT ref: 6D180967
    • _free.LIBCMT ref: 6D180983
      • Part of subcall function 6D18231A: IsProcessorFeaturePresent.KERNEL32(00000017,6D1822EC,00000000,00000001,00000004,00000000,00000001,00000001,?,?,6D1822F9,00000000,00000000,00000000,00000000,00000000), ref: 6D18231C
      • Part of subcall function 6D18231A: GetCurrentProcess.KERNEL32(C0000417,00000001), ref: 6D18233E
      • Part of subcall function 6D18231A: TerminateProcess.KERNEL32(00000000), ref: 6D182345
    • _free.LIBCMT ref: 6D18098D
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: _free$Process$CurrentFeaturePresentProcessorTerminate
    • String ID:
    • API String ID: 2329545287-0
    • Opcode ID: 21c06a71b01887ae46590f46f050f1d8097854fde67655bf8ad66fb1b45ea04a
    • Instruction ID: 1c76b4530070b0f91237b0b1e8e7a8f64202c556b90f885ca063052ed6494b25
    • Opcode Fuzzy Hash: 21c06a71b01887ae46590f46f050f1d8097854fde67655bf8ad66fb1b45ea04a
    • Instruction Fuzzy Hash: DA51CF36E0D209ABEB14CF699840BBB77A8EF46324F11405DE9449725AEBF19E418FD0
    Function 6D18EB96 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,6D17779F,6D17779F,?,?,?,6D18EDE7,00000001,00000001,68E85006), ref: 6D18EBF0
    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,6D18EDE7,00000001,00000001,68E85006,?,?,?), ref: 6D18EC76
    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,68E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 6D18ED70
    • __freea.LIBCMT ref: 6D18ED7D
      • Part of subcall function 6D181CB6: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,6D19398A,00000001,00000000,?,6D18A7C9,00000001,00000004,00000000,00000001,?,?,6D181278), ref: 6D181CE8
    • __freea.LIBCMT ref: 6D18ED86
    • __freea.LIBCMT ref: 6D18EDAB
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ByteCharMultiWide__freea$AllocHeap
    • String ID:
    • API String ID: 3147120248-0
    • Opcode ID: 09e5e3e6c07cc9e22bc219d96a1a70dd5557fe8609cd90b1e1016daa12876355
    • Instruction ID: 20209cbbb1d761677f6c3644c7a685dadef8b3a2feac3a4ebd67fff3743544c1
    • Opcode Fuzzy Hash: 09e5e3e6c07cc9e22bc219d96a1a70dd5557fe8609cd90b1e1016daa12876355
    • Instruction Fuzzy Hash: 5E512072A14216AFEB15CF64CC80EBF37A9EB54650F124728FD18D7149EBB2DE448A90
    Function 6D197551 Relevance: 9.1, APIs: 6, Instructions: 86threadCOMMON
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32 ref: 6D197562
    • OutputDebugStringW.KERNEL32(?), ref: 6D197574
    • IsDebuggerPresent.KERNEL32 ref: 6D19758F
    • CreateThread.KERNEL32(00000000,00000000,6D19770C,?,00000000,00000000), ref: 6D1975C9
    • WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000), ref: 6D1975DA
    • CloseHandle.KERNEL32(00000000), ref: 6D1975ED
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: DebuggerPresent$CloseCreateDebugHandleObjectOutputSingleStringThreadWait
    • String ID:
    • API String ID: 3708507090-0
    • Opcode ID: efc0fd8f11767e46544d20061ba6747d5b40c3aeced85717b38f7470a93e438e
    • Instruction ID: 813ff1432129778e1ce8b640f8d4a930eb7ec0cfece2cf466964aaeb5175c6d1
    • Opcode Fuzzy Hash: efc0fd8f11767e46544d20061ba6747d5b40c3aeced85717b38f7470a93e438e
    • Instruction Fuzzy Hash: 5121D632D45216ABEF019EA99C08FAE7BB8FF52374F154606F930DB189C7F08502CA60
    Function 6D197478 Relevance: 9.1, APIs: 6, Instructions: 86threadCOMMON
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32 ref: 6D197489
    • OutputDebugStringA.KERNEL32(?), ref: 6D19749B
    • IsDebuggerPresent.KERNEL32 ref: 6D1974B6
    • CreateThread.KERNEL32(00000000,00000000,6D1976EA,?,00000000,00000000), ref: 6D1974F0
    • WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000), ref: 6D197501
    • CloseHandle.KERNEL32(00000000), ref: 6D197514
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: DebuggerPresent$CloseCreateDebugHandleObjectOutputSingleStringThreadWait
    • String ID:
    • API String ID: 3708507090-0
    • Opcode ID: cb4a2db686d6b2c9543c7d17a386ee8973d5404a03f2acb9b8db3a0f4930d9cb
    • Instruction ID: 0807adfe60436ad009ba0554af4a70dd391cb45ccdd7c2957efc89c6d3877ba3
    • Opcode Fuzzy Hash: cb4a2db686d6b2c9543c7d17a386ee8973d5404a03f2acb9b8db3a0f4930d9cb
    • Instruction Fuzzy Hash: 27212531E45225ABDB01AFA9AC04FAE7B78FF42774F154602F931DB189D7F08402CAA0
    Function 6D150634 Relevance: 9.1, APIs: 6, Instructions: 66COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_catch.LIBCMT ref: 6D15063B
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D15065B
      • Part of subcall function 6D1617DD: RaiseException.KERNEL32(?,?,?,6D13F47B,00000000,0000006F,00000000,?,?,?,?,?,6D13F47B,?,6D1AE250), ref: 6D16183C
      • Part of subcall function 6D14FB62: Concurrency::event::wait.LIBCONCRT ref: 6D14FB78
    • Concurrency::details::_TaskCollection::_Alias.LIBCMT ref: 6D150663
    • new.LIBCMT ref: 6D150694
    • Concurrency::details::ContextBase::PushStructured.LIBCONCRT ref: 6D1506C6
    • Concurrency::details::ContextBase::PushStructured.LIBCONCRT ref: 6D1506F7
      • Part of subcall function 6D14D757: Concurrency::location::operator==.LIBCMT ref: 6D14D783
      • Part of subcall function 6D14D757: Concurrency::details::ContextBase::CreateWorkQueue.LIBCMT ref: 6D14D7E4
      • Part of subcall function 6D14D757: Concurrency::details::WorkQueue::PushUnstructured.LIBCMT ref: 6D14D7EF
      • Part of subcall function 6D14D757: Concurrency::location::_Assign.LIBCMT ref: 6D14D82C
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::$Base::ContextPush$StructuredWork$AliasAssignCollection::_Concurrency::details::_Concurrency::event::waitConcurrency::location::_Concurrency::location::operator==CreateExceptionException@8H_prolog3_catchQueueQueue::RaiseTaskThrowUnstructured
    • String ID:
    • API String ID: 50514109-0
    • Opcode ID: 095123463ebe094a3bc68b278545ecc76caecb0e877dde3657f103085049a998
    • Instruction ID: 8dd2caef669deff4e7fd1147687cba18e09f19154fa3e96301f1c63f90cd147f
    • Opcode Fuzzy Hash: 095123463ebe094a3bc68b278545ecc76caecb0e877dde3657f103085049a998
    • Instruction Fuzzy Hash: A121F6B19086169FCF10DF66C450A7DB7B5BF84308B02C02DDAA9AB708CBF49911CB51
    Function 6D15A72C Relevance: 9.1, APIs: 6, Instructions: 58COMMON
    Download Yara Rule
    APIs
    • Concurrency::details::_TaskCollection::_RunAndWait.LIBCONCRT ref: 6D15A748
      • Part of subcall function 6D1500D4: __EH_prolog3_catch.LIBCMT ref: 6D1500DB
      • Part of subcall function 6D1500D4: Concurrency::details::_TaskCollection::_Alias.LIBCMT ref: 6D1500E5
      • Part of subcall function 6D1500D4: Concurrency::details::_CancellationTokenState::_RegisterCallback.LIBCONCRT ref: 6D150147
      • Part of subcall function 6D1500D4: __CxxThrowException@8.LIBVCRUNTIME ref: 6D150196
      • Part of subcall function 6D1500D4: Concurrency::details::ContextBase::IsCancellationVisible.LIBCMT ref: 6D1501C0
    • Concurrency::details::_TaskCollection::~_TaskCollection.LIBCONCRT ref: 6D15A753
      • Part of subcall function 6D14E8AE: Concurrency::details::_TaskCollection::_TaskCleanup.LIBCMT ref: 6D14E8E6
      • Part of subcall function 6D14E8AE: Concurrency::details::_TaskCollection::_ReleaseAlias.LIBCONCRT ref: 6D14E902
      • Part of subcall function 6D14E8AE: Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 6D14E953
      • Part of subcall function 6D14E8AE: __CxxThrowException@8.LIBVCRUNTIME ref: 6D14E96D
      • Part of subcall function 6D14E8AE: Concurrency::event::~event.LIBCONCRT ref: 6D14E975
    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 6D15A7D8
    • List.LIBCMT ref: 6D15A81C
      • Part of subcall function 6D14DB39: SafeRWList.LIBCONCRT ref: 6D14DB46
    • SafeRWList.LIBCONCRT ref: 6D15A83B
    • Concurrency::details::_CancellationTokenState::_DeregisterCallback.LIBCONCRT ref: 6D15A851
    • Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 6D15A858
    • Concurrency::details::ContextBase::ClearAliasTable.LIBCMT ref: 6D15A881
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::_$Task$Collection::_$AliasCancellationListRelease$Base::CallbackConcurrency::details::ContextCounter::_Exception@8SafeState::_ThrowToken$AcquireCleanupClearCollectionCollection::~_Concurrency::event::~eventDeregisterH_prolog3_catchLock::_ReaderRegisterTableVisibleWaitWriteWriter
    • String ID:
    • API String ID: 1513459046-0
    • Opcode ID: 93f2c8826e0d3b011436c0436d929b1585568ee6bda0515e9b9b7ac9d2844024
    • Instruction ID: 76085211cbf0d268d3333ee72bc65bf2cbd07fcc74cffc3d238be451412ca92a
    • Opcode Fuzzy Hash: 93f2c8826e0d3b011436c0436d929b1585568ee6bda0515e9b9b7ac9d2844024
    • Instruction Fuzzy Hash: 27213070B483149FEF60DF64C890B98B7B5BF05318F0281D8CA695B29ACBB4AD85CF51
    Function 6D182E35 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,6D18ADD5,?,?,?,?,6D18B2B9,?,?,?,?,?,00000001,?,6D1B12C0), ref: 6D182E39
    • _free.LIBCMT ref: 6D182E6C
    • _free.LIBCMT ref: 6D182E94
    • SetLastError.KERNEL32(00000000,?,?,?,?,00000001,?,6D1B12C0,00000014,6D188F46,00000000,?,?,?,?), ref: 6D182EA1
    • SetLastError.KERNEL32(00000000,?,?,?,?,00000001,?,6D1B12C0,00000014,6D188F46,00000000,?,?,?,?), ref: 6D182EAD
    • _abort.LIBCMT ref: 6D182EB3
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$_free$_abort
    • String ID:
    • API String ID: 3160817290-0
    • Opcode ID: bb9e5e3f826a7c31bafc516ac29c2bcc6424c465d0cc6884c21641c917f5ccf6
    • Instruction ID: 64eeaddab6aa3a04d2f835119bdb41cc2705715113af06bfdd363b1a57a1c1c7
    • Opcode Fuzzy Hash: bb9e5e3f826a7c31bafc516ac29c2bcc6424c465d0cc6884c21641c917f5ccf6
    • Instruction Fuzzy Hash: 66F0F93518C7022AC723A764AC58B6B26369BD36A4B160015FA25D219EEFE088028965
    Function 6D13CA33 Relevance: 9.0, APIs: 6, Instructions: 39timeCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 6D14044C
    • new.LIBCMT ref: 6D140455
    • Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 6D14046C
      • Part of subcall function 6D13F4C6: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 6D13F4E8
      • Part of subcall function 6D13F4C6: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 6D13F509
      • Part of subcall function 6D13F4C6: __CxxThrowException@8.LIBVCRUNTIME ref: 6D13F566
    • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 6D14047F
    • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 6D14048B
    • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 6D140494
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefException@8H_prolog3LibraryLoadRegisterSchedulerSwitch_to_activeThrow
    • String ID:
    • API String ID: 1078493502-0
    • Opcode ID: 5776712239b1b70c7b332deb324b1d50617f20ff001392d3942332155e21297b
    • Instruction ID: 6384b4f07afccdafb912e65233a16243b9d7d71ad88654f37eee3bda94ab78ad
    • Opcode Fuzzy Hash: 5776712239b1b70c7b332deb324b1d50617f20ff001392d3942332155e21297b
    • Instruction Fuzzy Hash: ECF05930688325BBDF046EBA8414A7E35861FB1368F0BC139A625AF3C9DFF48D018391
    Function 6D161A40 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124COMMON
    Download Yara Rule
    APIs
    • _ValidateLocalCookies.LIBCMT ref: 6D161A6B
    • __IsNonwritableInCurrentImage.LIBCMT ref: 6D161AE5
      • Part of subcall function 6D19A560: __FindPESection.LIBCMT ref: 6D19A5B9
    • _ValidateLocalCookies.LIBCMT ref: 6D161B59
    • _ValidateLocalCookies.LIBCMT ref: 6D161B84
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: CookiesLocalValidate$CurrentFindImageNonwritableSection
    • String ID: csm
    • API String ID: 1685366865-1018135373
    • Opcode ID: 8a8f0a6effb5a426dcb6757d7645fb216102b3896f3b1e39bdc1fd803e444857
    • Instruction ID: d432d02fe2a64fe4df56d0a8678b828aeeaf9882a5e3b9d7d0ce6eb1051bf3ce
    • Opcode Fuzzy Hash: 8a8f0a6effb5a426dcb6757d7645fb216102b3896f3b1e39bdc1fd803e444857
    • Instruction Fuzzy Hash: BF413B31E082899FCF00CF68C890AAEBBB4EF45328F05C155E9149F259D7B1D965CBE0
    Function 6D1327D0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 123libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(64D59454), ref: 6D1329A7
    • GetProcAddress.KERNEL32(00000000,-0C1487EC), ref: 6D1329AF
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: _$4$_$4$_$4
    • API String ID: 1646373207-3055943180
    • Opcode ID: 6ae11600837869606fcabdd49290f03b5c58a76bcb0486feefa61d636f5930ce
    • Instruction ID: d1abe40f7a0600c2642d7c764d1b6acd0c1743b910e6a9ed006d7b4e6e456fb7
    • Opcode Fuzzy Hash: 6ae11600837869606fcabdd49290f03b5c58a76bcb0486feefa61d636f5930ce
    • Instruction Fuzzy Hash: 5A41563171C2714BDF35AF2D994461D3BF1B79A300762C4AAEA80C730AE3E4E84997D1
    Function 6D130B30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 121COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: O/~2$O/~2$O/~2
    • API String ID: 0-3230127083
    • Opcode ID: d4093d3ad1936b5dc96dc08a0da5fac19d549e215c5b39aea36979ebe77a5a95
    • Instruction ID: 24d1b694fd0c84f35f6238f472bbf7b9ab2b4ebe3acad24536ef74287c337a8b
    • Opcode Fuzzy Hash: d4093d3ad1936b5dc96dc08a0da5fac19d549e215c5b39aea36979ebe77a5a95
    • Instruction Fuzzy Hash: 0A415A3521C1214BCB15CE2FE58062A7AF1FB5A304B5B81AED585CB34DE3F0DC498752
    Function 6D1346D0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 121COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: Q>,$Q>,$Q>,
    • API String ID: 0-1249747301
    • Opcode ID: fecde3f9a2a7af8bcf98bf7f6b8e0d25fdc319453809f0d16a7836c6b5414cfb
    • Instruction ID: bb4bbcedbb0cf617e53a7e7e860ba3a418fcd3e5f8f8df358c50bb0bbf326815
    • Opcode Fuzzy Hash: fecde3f9a2a7af8bcf98bf7f6b8e0d25fdc319453809f0d16a7836c6b5414cfb
    • Instruction Fuzzy Hash: 72418C3571C5618BCF20CA3D99802257BB2FB5F314793852AE588C771AE3FADC858B91
    Function 6D1630CB Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: MOC$RCC$csm$csm
    • API String ID: 0-1441736206
    • Opcode ID: c8fd0d171e5e44b54e2e3492bc0f51f6205e1b0013d60509b25d8c4083961136
    • Instruction ID: 00e1ad6b96acdcf084cbc6c4b84234e7d1d865b378524de643a7fcd0ad2d692c
    • Opcode Fuzzy Hash: c8fd0d171e5e44b54e2e3492bc0f51f6205e1b0013d60509b25d8c4083961136
    • Instruction Fuzzy Hash: 9331A071808386DFDB208E68C500766F7F5BF22305F0E455EC86657129C3F0D66ACAB2
    Function 6D194F9D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,6D1B998A,00000104), ref: 6D194FFA
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
    • API String ID: 514040917-4022980321
    • Opcode ID: 8ca217be68669fe77af691ed8d75e4205e24b99a70da8ad747ab8e42ab7d7cc3
    • Instruction ID: 7ebb06ac3eac91ab941c69e3b42ee504e291718aef18fb46b48938b093fed2ad
    • Opcode Fuzzy Hash: 8ca217be68669fe77af691ed8d75e4205e24b99a70da8ad747ab8e42ab7d7cc3
    • Instruction Fuzzy Hash: B1216B7290920273EB1456755CA9F77362C9BA6749F5D0225FE09AD14EF3F2C14181A1
    Function 6D15F018 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D15F060
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D15F06E
    • __EH_prolog3.LIBCMT ref: 6D15F07B
    • new.LIBCMT ref: 6D15F084
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Exception@8H_prolog3Throwstd::invalid_argument::invalid_argument
    • String ID: pContext
    • API String ID: 3362379422-2046700901
    • Opcode ID: bd3f3d6765c7a58140b6fdf446cda77f42796732ceb29b5e01bf357ef2bd0018
    • Instruction ID: f96bf39cc96112d972cb8c683c570589f35f43a07ce89a46699ec03489040d46
    • Opcode Fuzzy Hash: bd3f3d6765c7a58140b6fdf446cda77f42796732ceb29b5e01bf357ef2bd0018
    • Instruction Fuzzy Hash: 24112C76B042295BDF049BA8C80086EB76AAF94614B064225FE34D7348DFF4DE1587D1
    Function 6D1989F7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3_catch.LIBCMT ref: 6D1989FE
    • new.LIBCMT ref: 6D198A49
    • __ExceptionPtr::__ExceptionPtr.LIBCMT ref: 6D198A67
      • Part of subcall function 6D1984F2: EncodePointer.KERNEL32(?,?,00000000,00000000), ref: 6D1985A2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Exception$EncodeH_prolog3_catchPointerPtr::__
    • String ID: MOC$RCC
    • API String ID: 851667951-2084237596
    • Opcode ID: e04c06b9f101e719c367c9c752f4808ed73a1ea799a6878fded976554bb0fbab
    • Instruction ID: 399c6b86af56fa547a7d924472165eec7d469f374d97778142a2fc03bbc33bff
    • Opcode Fuzzy Hash: e04c06b9f101e719c367c9c752f4808ed73a1ea799a6878fded976554bb0fbab
    • Instruction Fuzzy Hash: 06111C70909255DFDB01DFA5C0809ADBB70BF45308F4680AD9A159F368CBF88A41CB71
    Function 6D1804CD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,6D18045A,?,?,6D1803FA,?,6D1B0EE8,0000000C,6D180576,00000000,00000000), ref: 6D1804ED
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D180500
    • FreeLibrary.KERNEL32(00000000,?,?,?,6D18045A,?,?,6D1803FA,?,6D1B0EE8,0000000C,6D180576,00000000,00000000,00000001,6D13E15D), ref: 6D180523
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: 403994c4554fa267e4b53ca52fa530b11c00abc61803fc846941cdfcdd931862
    • Instruction ID: bd2d36b319e98db7bb989472a045ba449f6e0d4975202c2c4195cab0de7e3e3b
    • Opcode Fuzzy Hash: 403994c4554fa267e4b53ca52fa530b11c00abc61803fc846941cdfcdd931862
    • Instruction Fuzzy Hash: 4BF0623590121DBFDF119FA2D818BADBFB4EF19352F050069F809A6159DFB09A41DBA0
    Function 6D1510DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36threadCOMMON
    Download Yara Rule
    APIs
    • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 6D1510F1
    • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 6D151115
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D15112A
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D151138
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
    • String ID: pScheduler
    • API String ID: 3657713681-923244539
    • Opcode ID: 84f433c223bb68604a2cea91f66fa02e79efdce0c64a4fe3e4615c4261135a5d
    • Instruction ID: a9453f8ab52ba89c8fa79c751ca3be3a2fae6068134554120e10a29f29bfd146
    • Opcode Fuzzy Hash: 84f433c223bb68604a2cea91f66fa02e79efdce0c64a4fe3e4615c4261135a5d
    • Instruction Fuzzy Hash: 72F0C9FA90440867C321EE64EC40CAEB3389F80224711815AE6265304CCBF1AD56C6D0
    Function 6D183F1B Relevance: 7.7, APIs: 5, Instructions: 187COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D181CB6: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,6D19398A,00000001,00000000,?,6D18A7C9,00000001,00000004,00000000,00000001,?,?,6D181278), ref: 6D181CE8
    • _free.LIBCMT ref: 6D184026
    • _free.LIBCMT ref: 6D18403D
    • _free.LIBCMT ref: 6D18405C
    • _free.LIBCMT ref: 6D184077
    • _free.LIBCMT ref: 6D18408E
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: _free$AllocHeap
    • String ID:
    • API String ID: 1835388192-0
    • Opcode ID: bfd6dc627d9c0aa693e95210d6b0a81686ff6ccec0ee01a4a056dce8798c87dc
    • Instruction ID: 2b9e07bbf155cf5518e8d98f5039e4381707b22c1a428499d8020cfb8c3559e9
    • Opcode Fuzzy Hash: bfd6dc627d9c0aa693e95210d6b0a81686ff6ccec0ee01a4a056dce8798c87dc
    • Instruction Fuzzy Hash: C9510331A04205AFDB21CF69C840BAB77F9FF59324F054569E909DB269EBB1E901CF80
    Function 6D1811EB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: 78f113b22956ce256fa27f008f350a054ee2485f7fc10645612653b0fede9b88
    • Instruction ID: 3826f34f5b5fa2468ba98dabca91feeccf56c83749e65109e29387b66fcf0489
    • Opcode Fuzzy Hash: 78f113b22956ce256fa27f008f350a054ee2485f7fc10645612653b0fede9b88
    • Instruction Fuzzy Hash: 4141B437A002049FCB14DF78C890A5DB7B6FF85314B268569E525EB296E7B1A941CB80
    Function 6D14112D Relevance: 7.6, APIs: 5, Instructions: 116COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 6D141134
    • Concurrency::critical_section::scoped_lock::scoped_lock.LIBCONCRT ref: 6D14115E
      • Part of subcall function 6D13F6FB: __EH_prolog3.LIBCMT ref: 6D13F702
      • Part of subcall function 6D13F6FB: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 6D13F723
      • Part of subcall function 6D13F6FB: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 6D13F731
    • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 6D1411FB
    • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 6D14122D
    • __freea.LIBCMT ref: 6D141252
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::LockNode::Queue$Acquire_lockConcurrency::critical_section::_Concurrency::critical_section::scoped_lock::scoped_lockConcurrency::details::_EventH_prolog3H_prolog3_Lock::_NodeReaderSatisfyScoped_lockScoped_lock::~_WaitWriter__freea
    • String ID:
    • API String ID: 89001777-0
    • Opcode ID: 8a213d81719a97bad7b8c3ed52d7f055a2ea07f4ac62e8d809ec2e3c2f8370f1
    • Instruction ID: f757a83bacafde500fbfd742bcee1dd828f691052d167fad06ee0178e25a9a1c
    • Opcode Fuzzy Hash: 8a213d81719a97bad7b8c3ed52d7f055a2ea07f4ac62e8d809ec2e3c2f8370f1
    • Instruction Fuzzy Hash: 9641D4B2E041168BCB05CFB8C9409ADB7F2BF54714B668129C915E7248DBB4EE92C790
    Function 6D15BECA Relevance: 7.6, APIs: 5, Instructions: 91threadCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 6D141934: ___crtCreateEventExW.LIBCPMT ref: 6D14194E
      • Part of subcall function 6D141934: GetLastError.KERNEL32(?,?,?,?,?,6D13F984), ref: 6D14195A
      • Part of subcall function 6D141934: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D141976
      • Part of subcall function 6D141934: __CxxThrowException@8.LIBVCRUNTIME ref: 6D141984
      • Part of subcall function 6D141934: ___crtCreateEventExW.LIBCPMT ref: 6D1419A6
      • Part of subcall function 6D141934: GetLastError.KERNEL32 ref: 6D1419B2
      • Part of subcall function 6D141934: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D1419CE
      • Part of subcall function 6D141934: __CxxThrowException@8.LIBVCRUNTIME ref: 6D1419DC
    • Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 6D15BF3D
      • Part of subcall function 6D1420B7: ___crtGetTimeFormatEx.LIBCMT ref: 6D1420CD
      • Part of subcall function 6D1420B7: Concurrency::details::ReferenceLoadLibrary.LIBCMT ref: 6D1420EC
    • CloseHandle.KERNEL32(?), ref: 6D15BF4F
    • GetLastError.KERNEL32 ref: 6D15BF68
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D15BF8B
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D15BF99
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8LastThrow___crt$Concurrency::details::EventLibraryLoad$CloseFormatHandleReferenceThreadTime
    • String ID:
    • API String ID: 503882564-0
    • Opcode ID: 65cd072dff29b07d0f3aa8c0fbd29c444b70a5dd17c160c46274b127a47467bc
    • Instruction ID: b1d93355e1bf4f3ba7f7f80b89cb9bd055ece6f6cdfc4fa864169eea22251503
    • Opcode Fuzzy Hash: 65cd072dff29b07d0f3aa8c0fbd29c444b70a5dd17c160c46274b127a47467bc
    • Instruction Fuzzy Hash: 0131E5B5A00214AFC711DFA9C940A5EBBF8FF18254B25816EE949D7300D7B1EA12CBD1
    Function 6D14CAA0 Relevance: 7.6, APIs: 5, Instructions: 90COMMON
    Download Yara Rule
    APIs
    • _SpinWait.LIBCONCRT ref: 6D14CAC5
      • Part of subcall function 6D14006C: _SpinWait.LIBCMT ref: 6D140084
    • Concurrency::details::ContextBase::ClearAliasTable.LIBCMT ref: 6D14CAD9
    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 6D14CB01
    • List.LIBCMT ref: 6D14CB96
    • List.LIBCMT ref: 6D14CBA5
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
    • String ID:
    • API String ID: 3281396844-0
    • Opcode ID: 6e835f1dbd2cbcb8abe0eb5bcc5bb7084ba3b2e79c7ce00a46edc1ea983fa079
    • Instruction ID: 72bca07375bc76dd548756e9d12ee20d4d1270dd54339907f4584628cab8e1ae
    • Opcode Fuzzy Hash: 6e835f1dbd2cbcb8abe0eb5bcc5bb7084ba3b2e79c7ce00a46edc1ea983fa079
    • Instruction Fuzzy Hash: EB31BC31D09716DFCF04DFA8C5805EDBBB2BF24348B16C069C9517B249DBB0AA19CBA0
    Function 6D15BEC5 Relevance: 7.6, APIs: 5, Instructions: 85threadCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D141934: ___crtCreateEventExW.LIBCPMT ref: 6D14194E
      • Part of subcall function 6D141934: GetLastError.KERNEL32(?,?,?,?,?,6D13F984), ref: 6D14195A
      • Part of subcall function 6D141934: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D141976
      • Part of subcall function 6D141934: __CxxThrowException@8.LIBVCRUNTIME ref: 6D141984
      • Part of subcall function 6D141934: ___crtCreateEventExW.LIBCPMT ref: 6D1419A6
      • Part of subcall function 6D141934: GetLastError.KERNEL32 ref: 6D1419B2
      • Part of subcall function 6D141934: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D1419CE
      • Part of subcall function 6D141934: __CxxThrowException@8.LIBVCRUNTIME ref: 6D1419DC
    • Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 6D15BF3D
      • Part of subcall function 6D1420B7: ___crtGetTimeFormatEx.LIBCMT ref: 6D1420CD
      • Part of subcall function 6D1420B7: Concurrency::details::ReferenceLoadLibrary.LIBCMT ref: 6D1420EC
    • CloseHandle.KERNEL32(?), ref: 6D15BF4F
    • GetLastError.KERNEL32 ref: 6D15BF68
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D15BF8B
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D15BF99
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8LastThrow___crt$Concurrency::details::EventLibraryLoad$CloseFormatHandleReferenceThreadTime
    • String ID:
    • API String ID: 503882564-0
    • Opcode ID: 3500a21ef44ce40af009e4ae0607b046eb281aa5a568f360c30953a1a27b508e
    • Instruction ID: 7b34fcb70740dd69ba14797179cdd09c988cf431c6a39a3dbe939ac0249f4fbe
    • Opcode Fuzzy Hash: 3500a21ef44ce40af009e4ae0607b046eb281aa5a568f360c30953a1a27b508e
    • Instruction Fuzzy Hash: BF31D2B5900214AFCB11DFA5C940A5EBBF4FF18254B25815EE949DB301DBB1EA12CFD1
    Function 6D189E66 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 6D189E6F
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6D189E92
      • Part of subcall function 6D181CB6: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,6D19398A,00000001,00000000,?,6D18A7C9,00000001,00000004,00000000,00000001,?,?,6D181278), ref: 6D181CE8
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6D189EB8
    • _free.LIBCMT ref: 6D189ECB
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D189EDA
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
    • String ID:
    • API String ID: 2278895681-0
    • Opcode ID: bfe70f012a057a5014ad39b55aa7cc8218240d9efe7230325cfabf9be4270008
    • Instruction ID: 4722f83189e67066e064edcc205deb4a2720cad3190424d376e5f077edb620fd
    • Opcode Fuzzy Hash: bfe70f012a057a5014ad39b55aa7cc8218240d9efe7230325cfabf9be4270008
    • Instruction Fuzzy Hash: 9E01D8B26417157F671286AF6C98DBF2D7DDAC39643110118F914C610DEFE0CF0189B0
    Function 6D14818D Relevance: 7.6, APIs: 5, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • Concurrency::details::SchedulerBase::Cleanup.LIBCONCRT ref: 6D1481BE
      • Part of subcall function 6D148C71: Concurrency::details::SchedulingNode::~SchedulingNode.LIBCONCRT ref: 6D148C89
      • Part of subcall function 6D148C71: __EH_prolog3.LIBCMT ref: 6D14B775
      • Part of subcall function 6D148C71: Concurrency::details::_NonReentrantLock::_Acquire.LIBCMT ref: 6D14B782
      • Part of subcall function 6D148C71: Concurrency::details::_UnregisterConcRTEventTracing.LIBCONCRT ref: 6D14B794
      • Part of subcall function 6D148C71: InterlockedPopEntrySList.KERNEL32(6D1B9258,00000004,6D19E430,000000FF), ref: 6D14B7AA
    • Hash.LIBCONCRT ref: 6D1481CB
    • Hash.LIBCONCRT ref: 6D1481E1
      • Part of subcall function 6D13F79C: DeleteCriticalSection.KERNEL32(?,6D15311D,02C15E31,00000000,?,?,00000000,6D19EF09,000000FF,?,6D1432B6), ref: 6D13F79D
    • ~ListArray.LIBCONCRT ref: 6D148200
      • Part of subcall function 6D148034: InterlockedFlushSList.KERNEL32(?,?,?,6D148205,02C15E31,?,?,?,6D19E430,000000FF), ref: 6D148039
      • Part of subcall function 6D148034: ListArray.LIBCONCRT ref: 6D148042
      • Part of subcall function 6D148034: InterlockedFlushSList.KERNEL32(?,00000000,?,?,6D148205,02C15E31,?,?,?,6D19E430,000000FF), ref: 6D14804B
      • Part of subcall function 6D148034: ListArray.LIBCONCRT ref: 6D148054
      • Part of subcall function 6D148034: ListArray.LIBCONCRT ref: 6D14805E
    • ~ListArray.LIBCONCRT ref: 6D148208
      • Part of subcall function 6D1480AE: InterlockedFlushSList.KERNEL32(?,?,?,6D14820D,02C15E31,?,?,?,6D19E430,000000FF), ref: 6D1480B3
      • Part of subcall function 6D1480AE: ListArray.LIBCONCRT ref: 6D1480BC
      • Part of subcall function 6D1480AE: InterlockedFlushSList.KERNEL32(?,00000000,?,?,6D14820D,02C15E31,?,?,?,6D19E430,000000FF), ref: 6D1480C5
      • Part of subcall function 6D1480AE: ListArray.LIBCONCRT ref: 6D1480CE
      • Part of subcall function 6D1480AE: ListArray.LIBCONCRT ref: 6D1480D8
      • Part of subcall function 6D1480AE: _InternalDeleteHelper.LIBCONCRT ref: 6D1480F1
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: List$Array$Interlocked$Flush$Concurrency::details::Concurrency::details::_DeleteHashScheduling$AcquireBase::CleanupConcCriticalEntryEventH_prolog3HelperInternalLock::_NodeNode::~ReentrantSchedulerSectionTracingUnregister
    • String ID:
    • API String ID: 2613779565-0
    • Opcode ID: dabc6605e52152bab3ea5e48600f4c57bd5a839ffd93d1d5ce5538171f2d645c
    • Instruction ID: e6b7f5796c7b49cf3ee34003ca9d5c36f3c625a52d02b9a4533351263bb93afb
    • Opcode Fuzzy Hash: dabc6605e52152bab3ea5e48600f4c57bd5a839ffd93d1d5ce5538171f2d645c
    • Instruction Fuzzy Hash: A411E732508906AFC709DB60DC10ADEF775FF90718F42822AD62963558DFB57925CBC0
    Function 6D148192 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • Concurrency::details::SchedulerBase::Cleanup.LIBCONCRT ref: 6D1481BE
      • Part of subcall function 6D148C71: Concurrency::details::SchedulingNode::~SchedulingNode.LIBCONCRT ref: 6D148C89
      • Part of subcall function 6D148C71: __EH_prolog3.LIBCMT ref: 6D14B775
      • Part of subcall function 6D148C71: Concurrency::details::_NonReentrantLock::_Acquire.LIBCMT ref: 6D14B782
      • Part of subcall function 6D148C71: Concurrency::details::_UnregisterConcRTEventTracing.LIBCONCRT ref: 6D14B794
      • Part of subcall function 6D148C71: InterlockedPopEntrySList.KERNEL32(6D1B9258,00000004,6D19E430,000000FF), ref: 6D14B7AA
    • Hash.LIBCONCRT ref: 6D1481CB
    • Hash.LIBCONCRT ref: 6D1481E1
      • Part of subcall function 6D13F79C: DeleteCriticalSection.KERNEL32(?,6D15311D,02C15E31,00000000,?,?,00000000,6D19EF09,000000FF,?,6D1432B6), ref: 6D13F79D
    • ~ListArray.LIBCONCRT ref: 6D148200
      • Part of subcall function 6D148034: InterlockedFlushSList.KERNEL32(?,?,?,6D148205,02C15E31,?,?,?,6D19E430,000000FF), ref: 6D148039
      • Part of subcall function 6D148034: ListArray.LIBCONCRT ref: 6D148042
      • Part of subcall function 6D148034: InterlockedFlushSList.KERNEL32(?,00000000,?,?,6D148205,02C15E31,?,?,?,6D19E430,000000FF), ref: 6D14804B
      • Part of subcall function 6D148034: ListArray.LIBCONCRT ref: 6D148054
      • Part of subcall function 6D148034: ListArray.LIBCONCRT ref: 6D14805E
    • ~ListArray.LIBCONCRT ref: 6D148208
      • Part of subcall function 6D1480AE: InterlockedFlushSList.KERNEL32(?,?,?,6D14820D,02C15E31,?,?,?,6D19E430,000000FF), ref: 6D1480B3
      • Part of subcall function 6D1480AE: ListArray.LIBCONCRT ref: 6D1480BC
      • Part of subcall function 6D1480AE: InterlockedFlushSList.KERNEL32(?,00000000,?,?,6D14820D,02C15E31,?,?,?,6D19E430,000000FF), ref: 6D1480C5
      • Part of subcall function 6D1480AE: ListArray.LIBCONCRT ref: 6D1480CE
      • Part of subcall function 6D1480AE: ListArray.LIBCONCRT ref: 6D1480D8
      • Part of subcall function 6D1480AE: _InternalDeleteHelper.LIBCONCRT ref: 6D1480F1
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: List$Array$Interlocked$Flush$Concurrency::details::Concurrency::details::_DeleteHashScheduling$AcquireBase::CleanupConcCriticalEntryEventH_prolog3HelperInternalLock::_NodeNode::~ReentrantSchedulerSectionTracingUnregister
    • String ID:
    • API String ID: 2613779565-0
    • Opcode ID: 3a747aff5b3be49be42088e4190c014e6ca5c58c79722e6769b9a67eaecdbff0
    • Instruction ID: c20ec094f033b72d77abcca6d34cc16fb57732c1df06b1165d5159a34d6c5e98
    • Opcode Fuzzy Hash: 3a747aff5b3be49be42088e4190c014e6ca5c58c79722e6769b9a67eaecdbff0
    • Instruction Fuzzy Hash: 1F11C631508906AFC708DF61DC10ADAF765FF90718F42822AD62663998DFB57925CBC1
    Function 6D182EB9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(00000001,02C15E31,-00000004,6D182418,6D17F698,02C15E31,?,6D18119D,00000001,00000001), ref: 6D182EBE
    • _free.LIBCMT ref: 6D182EF3
    • _free.LIBCMT ref: 6D182F1A
    • SetLastError.KERNEL32(00000000,00000001), ref: 6D182F27
    • SetLastError.KERNEL32(00000000,00000001), ref: 6D182F30
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$_free
    • String ID:
    • API String ID: 3170660625-0
    • Opcode ID: 8846fb6b99b68523029393308d109d7ef5527f1e91d59459e4a7e6b77b55e37c
    • Instruction ID: 0e283a0256730d582d8e7c50cf7924dee54a4b73fc699df84e4a008c8bafc968
    • Opcode Fuzzy Hash: 8846fb6b99b68523029393308d109d7ef5527f1e91d59459e4a7e6b77b55e37c
    • Instruction Fuzzy Hash: B901D63619D70266C22397699C98E1B233AEBD72B47160015F5149229EEFF48801C960
    Function 6D143A0F Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 6D143A7C
    • Concurrency::details::_NonReentrantLock::_Acquire.LIBCMT ref: 6D143A89
    • new.LIBCMT ref: 6D143AA1
    • new.LIBCMT ref: 6D143AC9
    • Concurrency::details::ResourceManager::ResourceManager.LIBCONCRT ref: 6D143ADC
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Resource$AcquireConcurrency::details::Concurrency::details::_H_prolog3Lock::_ManagerManager::Reentrant
    • String ID:
    • API String ID: 220083066-0
    • Opcode ID: f3c084c5cf46c23ea9cca91de12a28aca5a68e49f9e503d8c53661b327cf743c
    • Instruction ID: 57264512c791574cdb37945b8413c279b70ec089362b68ad4acb7b8458dc664d
    • Opcode Fuzzy Hash: f3c084c5cf46c23ea9cca91de12a28aca5a68e49f9e503d8c53661b327cf743c
    • Instruction Fuzzy Hash: 1001C470ACD3459BDF05EBB8505076D7AA16B5A318F62806DE105EB388DFF48E43D712
    Function 6D15E93A Relevance: 7.6, APIs: 5, Instructions: 52COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 6D15E95A
    • GetLastError.KERNEL32 ref: 6D15E966
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D15E986
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D15E994
    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 6D15E9A8
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastLock::_ReaderThrowWriteWriter
    • String ID:
    • API String ID: 2406344037-0
    • Opcode ID: ac7dcfbb349fca78e9786f997fe332dff84bed47975c8862551be5318d221d78
    • Instruction ID: 5d475bb7c2f7ea68a1bbd47c13bfb6f9ad334f8f0cb83c7d5bc4f1984109be0e
    • Opcode Fuzzy Hash: ac7dcfbb349fca78e9786f997fe332dff84bed47975c8862551be5318d221d78
    • Instruction Fuzzy Hash: 4901A7716042259B93209F6ADC04DBBF7FCEF92750701442EF995D3214DBF4E51087A1
    Function 6D14B536 Relevance: 7.6, APIs: 5, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 6D14B542
      • Part of subcall function 6D150E39: std::bad_exception::bad_exception.LIBCMT ref: 6D150E61
      • Part of subcall function 6D150E39: __CxxThrowException@8.LIBVCRUNTIME ref: 6D150E6F
    • Concurrency::details::_NonReentrantLock::_Acquire.LIBCMT ref: 6D14B562
    • new.LIBCMT ref: 6D14B591
    • Concurrency::SchedulerPolicy::SchedulerPolicy.LIBCMT ref: 6D14B5A9
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D14B5DA
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Exception@8SchedulerThrow$AcquireConcurrency::Concurrency::details::_H_prolog3Lock::_PolicyPolicy::Reentrantstd::bad_exception::bad_exception
    • String ID:
    • API String ID: 542938808-0
    • Opcode ID: 5bd95be7652461e7caf58efecff86a0814ae12e8638bd5ddae8527035cda18e7
    • Instruction ID: 460c7ed71066644c8024237fb6a716a4f98485b64031c4f1b197b5997cb33aac
    • Opcode Fuzzy Hash: 5bd95be7652461e7caf58efecff86a0814ae12e8638bd5ddae8527035cda18e7
    • Instruction Fuzzy Hash: F9117C71A4D2159EDF04DBB0E5517ACB6B06B32318F0281699615AB2C8DBF88A45CB51
    Function 6D1934A4 Relevance: 7.6, APIs: 5, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 6D1934BA
    • GetLastError.KERNEL32(?,?,?), ref: 6D1934C4
    • __dosmaperr.LIBCMT ref: 6D1934CB
    • SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 6D1934E9
    • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 6D19350F
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: FilePointer$ErrorLast__dosmaperr
    • String ID:
    • API String ID: 1114809156-0
    • Opcode ID: 4da7c2d439df421bc3c9e0bf7b5dd6e40fb64af55cb9d7289e19ecfead7daf22
    • Instruction ID: 05995b16a83646fff36faa226e5665ece9133d660c37a38fd652f409c90be8a9
    • Opcode Fuzzy Hash: 4da7c2d439df421bc3c9e0bf7b5dd6e40fb64af55cb9d7289e19ecfead7daf22
    • Instruction Fuzzy Hash: E501C071901119BBDF219FA5DC089EF7F3DEF05370F004105F8289A194C7B09A41CBA0
    Function 6D150707 Relevance: 7.6, APIs: 5, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D15065B
    • Concurrency::details::_TaskCollection::_Alias.LIBCMT ref: 6D150663
    • new.LIBCMT ref: 6D150694
    • Concurrency::details::ContextBase::PushStructured.LIBCONCRT ref: 6D1506C6
    • Concurrency::details::_UnrealizedChore::_InternalFree.LIBCONCRT ref: 6D150711
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::_$AliasBase::Chore::_Collection::_Concurrency::details::ContextException@8FreeInternalPushStructuredTaskThrowUnrealized
    • String ID:
    • API String ID: 2311307905-0
    • Opcode ID: 568f977ba64d0fa77af2abdb01125e682b6f663ac2febb6db483395899e613fb
    • Instruction ID: 70e6cf559a85f8dc4c44275845a202aa3afe4093b3316970b39b8ff580dde637
    • Opcode Fuzzy Hash: 568f977ba64d0fa77af2abdb01125e682b6f663ac2febb6db483395899e613fb
    • Instruction Fuzzy Hash: E011C2B1908B069FCB159F62C051A6DFBA5BF8020CF02C41DDAA997648CBF89D60CB91
    Function 6D15061B Relevance: 7.6, APIs: 5, Instructions: 51COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D150575
    • Concurrency::details::_TaskCollection::_Alias.LIBCMT ref: 6D15057D
    • new.LIBCMT ref: 6D1505AE
    • Concurrency::details::ContextBase::PushUnstructured.LIBCONCRT ref: 6D1505DD
    • Concurrency::details::_UnrealizedChore::_InternalFree.LIBCONCRT ref: 6D150625
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::_$AliasBase::Chore::_Collection::_Concurrency::details::ContextException@8FreeInternalPushTaskThrowUnrealizedUnstructured
    • String ID:
    • API String ID: 3156097236-0
    • Opcode ID: cfb8f5e126f6a7854a8e29705438cfdbb436a260607b7b130e914c5be4c5e03e
    • Instruction ID: a20bfe36ee23d6e733af7fcdda8733a3dbd9a134264cbafc2e271160cabf4c2c
    • Opcode Fuzzy Hash: cfb8f5e126f6a7854a8e29705438cfdbb436a260607b7b130e914c5be4c5e03e
    • Instruction Fuzzy Hash: 9C11CEF19187069FDB058F66C050A69FBA5BF4020CF02C52DD6AA9B648CBF89920CB90
    Function 6D150398 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON
    Download Yara Rule
    APIs
    • Concurrency::details::ContextBase::PopGoverningTokenState.LIBCMT ref: 6D1503B2
      • Part of subcall function 6D14D300: Concurrency::details::_TaskCollectionBase::_GetTokenState.LIBCONCRT ref: 6D14D31B
      • Part of subcall function 6D14D300: Concurrency::details::_TaskCollectionBase::_GetTokenState.LIBCONCRT ref: 6D14D33E
    • Concurrency::details::_CancellationTokenState::_DeregisterCallback.LIBCONCRT ref: 6D1503C5
      • Part of subcall function 6D14F50B: __EH_prolog3.LIBCMT ref: 6D14F512
      • Part of subcall function 6D14F50B: std::_Cnd_initX.LIBCPMT ref: 6D14F522
      • Part of subcall function 6D14F50B: Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::remove.LIBCONCRT ref: 6D14F538
      • Part of subcall function 6D14F50B: Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 6D14F547
      • Part of subcall function 6D14F50B: std::_Cnd_initX.LIBCPMT ref: 6D14F558
      • Part of subcall function 6D14F50B: atomic_compare_exchange.LIBCONCRT ref: 6D14F56E
      • Part of subcall function 6D14F50B: GetCurrentThreadId.KERNEL32 ref: 6D14F588
      • Part of subcall function 6D14F50B: std::_Cnd_initX.LIBCPMT ref: 6D14F5A4
      • Part of subcall function 6D14F50B: std::_Cnd_initX.LIBCPMT ref: 6D14F5C6
    • Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 6D1503CD
    • Concurrency::details::_TaskCollection::_Abort.LIBCMT ref: 6D1503E5
    • Concurrency::details::ContextBase::IsCancellationVisible.LIBCMT ref: 6D150404
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::_$Token$Cnd_initstd::_$CancellationStateTask$Base::Base::_CollectionConcurrency::details::ContextCounter::_Release$AbortCallbackCollection::_Container::removeCurrentDeregisterGoverningH_prolog3RegistrationState::State::_ThreadVisibleatomic_compare_exchange
    • String ID:
    • API String ID: 770851549-0
    • Opcode ID: c55ede4f16a12ce689990af97296b0ff18cb4b48d601f35a49493ca22268f4f4
    • Instruction ID: 88664624ac9eab9b07f46996e300393addc06f2f470e7c36b9db9851042f2811
    • Opcode Fuzzy Hash: c55ede4f16a12ce689990af97296b0ff18cb4b48d601f35a49493ca22268f4f4
    • Instruction Fuzzy Hash: 2D111774600215DFCB00CF69C9C0EAD77F5BF54358B068068E965AB3AAC7B4EE90CB50
    Function 6D18CD96 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 6D18CDAE
      • Part of subcall function 6D17F672: HeapFree.KERNEL32(00000000,00000000,?,6D18119D,00000001,00000001), ref: 6D17F688
      • Part of subcall function 6D17F672: GetLastError.KERNEL32(02C15E31,?,6D18119D,00000001,00000001), ref: 6D17F69A
    • _free.LIBCMT ref: 6D18CDC0
    • _free.LIBCMT ref: 6D18CDD2
    • _free.LIBCMT ref: 6D18CDE4
    • _free.LIBCMT ref: 6D18CDF6
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 94e20111d7f5f89e8ac2bc0d9174842df8033457276c1063f98b0dd172dab964
    • Instruction ID: 695cd4a5a01f4849dd3275c7d22ba9295a962a66bebfd92a88dd3bbf9be9159a
    • Opcode Fuzzy Hash: 94e20111d7f5f89e8ac2bc0d9174842df8033457276c1063f98b0dd172dab964
    • Instruction Fuzzy Hash: E6F0623260820997CB20EA59F581C273BFBFA223103514E05F128DB525CBB0F8804EE8
    Function 6D148A50 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 6D148A73
      • Part of subcall function 6D156513: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 6D15653A
      • Part of subcall function 6D156513: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 6D156553
      • Part of subcall function 6D156513: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 6D1565C8
      • Part of subcall function 6D156513: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 6D1565D0
    • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 6D148A81
    • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 6D148A8B
    • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 6D148A95
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D148AB5
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowVirtualWork
    • String ID:
    • API String ID: 2080793376-0
    • Opcode ID: 9182e5d26cbeaf0cc134f8b60d74e125fd041e52d37a232ea328c700530afcae
    • Instruction ID: 0a08d6657cfcfa2c113551e415e405727ec1094168dcf73c589db7ec7495aa92
    • Opcode Fuzzy Hash: 9182e5d26cbeaf0cc134f8b60d74e125fd041e52d37a232ea328c700530afcae
    • Instruction Fuzzy Hash: EDF02432E0851D27CB16B2398820D7DF3694FE0518B42812AEA118324CDFF4CE5687D2
    Function 6D12EEE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(64D59454), ref: 6D12F0A7
    • GetProcAddress.KERNEL32(00000000,76DB7C8F), ref: 6D12F0AF
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: &Cp{$&Cp{
    • API String ID: 1646373207-374447197
    • Opcode ID: efa0815a7f474371419ac05ab699a9e4f955d055075e8c6479ba6833136ca34d
    • Instruction ID: a9cbbc350d912cb6821caa72cca20bb96a0f7250a965705cf7f6c8c50c137aaf
    • Opcode Fuzzy Hash: efa0815a7f474371419ac05ab699a9e4f955d055075e8c6479ba6833136ca34d
    • Instruction Fuzzy Hash: 2441DF3161D0568FCF24CA3D85C02267BF1FB9A305751842AE984C730AE7F2EDC19B91
    Function 6D198CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105COMMON
    Download Yara Rule
    APIs
    • DecodePointer.KERNEL32(?), ref: 6D198D10
    • RaiseException.KERNEL32(?,?,?,?), ref: 6D198D6B
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D198D96
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: DecodeExceptionException@8PointerRaiseThrow
    • String ID: csm
    • API String ID: 1465410060-1018135373
    • Opcode ID: 52204f74824bab3bcb7cdf7dfa2a7bdeb1e7882c39ca9772b03957b0c7ac7627
    • Instruction ID: caad73ca15f522ad485f2c36c546807acfadcee03161878910852c647436e1fb
    • Opcode Fuzzy Hash: 52204f74824bab3bcb7cdf7dfa2a7bdeb1e7882c39ca9772b03957b0c7ac7627
    • Instruction Fuzzy Hash: 0D319031A04209AFCB14CF95D984AAEF7F9EF64310F51411EF51A9B618D7B0AD01CB90
    Function 6D141E9F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93threadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 6D141ED4
    • swprintf.LIBCMT ref: 6D141F20
      • Part of subcall function 6D1424CF: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 6D1424E1
    • __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 6D141F4E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: __vswprintf_c_l$CurrentThreadswprintf
    • String ID: [%d:%d:%d:%d(%d)]
    • API String ID: 2020571703-3832470304
    • Opcode ID: 6590c64275de42496461aed89d9379619b7d8c77bd1252ddf7d43d3967614802
    • Instruction ID: 481002629914a260361a65f7445bae73fb3508dcc2b632cfb7a7087274200f1b
    • Opcode Fuzzy Hash: 6590c64275de42496461aed89d9379619b7d8c77bd1252ddf7d43d3967614802
    • Instruction Fuzzy Hash: D22107653042255FCB005BB88CA0A7E3769AF44314B06C479EA0AD7359DBB4DC6A8391
    Function 6D141EAC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92threadCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 6D141ED4
    • swprintf.LIBCMT ref: 6D141F20
      • Part of subcall function 6D1424CF: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 6D1424E1
    • __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 6D141F4E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: __vswprintf_c_l$CurrentThreadswprintf
    • String ID: [%d:%d:%d:%d(%d)]
    • API String ID: 2020571703-3832470304
    • Opcode ID: 1305ce8c8d63e58e063bf2a8119f79126f7336040a1477d839cdc4dd2f6e0c24
    • Instruction ID: 4e2ed772b86fb581cf998bb20ce5d02921918b2ef088391aa28696f56ad7074e
    • Opcode Fuzzy Hash: 1305ce8c8d63e58e063bf2a8119f79126f7336040a1477d839cdc4dd2f6e0c24
    • Instruction Fuzzy Hash: FD2127653042215FDB005BB888A0A3F3769EF44718B06C47DEB0AD7358CBF49C6A83D1
    Function 6D127CD9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(1A256DDE), ref: 6D127D31
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: j3$j3$j3
    • API String ID: 4139908857-1354161450
    • Opcode ID: 5adb12689fd1bdd7fffd8d9a2f2a463533b8aad7f1c485b361304ec34ec0d0be
    • Instruction ID: 3ba302f1e0b192c6f1d5e030f91bcad10fe75c567d5594391a03b8fed1a2b056
    • Opcode Fuzzy Hash: 5adb12689fd1bdd7fffd8d9a2f2a463533b8aad7f1c485b361304ec34ec0d0be
    • Instruction Fuzzy Hash: 6C315E74A086898FC725CF29C49076BBBF1BB9A344F11882EF494C7365D6B5D948CB42
    Function 6D187F5C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: _abort
    • String ID: GetEnabledXStateFeatures$GetFileInformationByHandleEx
    • API String ID: 1888311480-684149918
    • Opcode ID: 177fb1275008add0df755d6484d9bbf16868a5e704f1ed6eebff1dd8379d39c9
    • Instruction ID: a997d0594ce5b808f66a12e9caf8a5bf6c17b45ff1ef2f0d3292a278c270346e
    • Opcode Fuzzy Hash: 177fb1275008add0df755d6484d9bbf16868a5e704f1ed6eebff1dd8379d39c9
    • Instruction Fuzzy Hash: 3C113631E4821C7BCB109F65DC04A7E7BB0DF49220F0A0056F9089B25ADFF04E10CAD6
    Function 6D152D1F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29threadCOMMON
    Download Yara Rule
    APIs
    • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 6D152D40
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D152D55
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D152D63
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
    • String ID: pContext
    • API String ID: 1990795212-2046700901
    • Opcode ID: 8d5fe64e48a08b12b453a9d9957b12349bb274d8ffb1e6745a22c4470a926d0e
    • Instruction ID: 8767913a7375e8327b8f40fcbb293fbff3e8e25b4efa2c3ad0414a15dc863f4c
    • Opcode Fuzzy Hash: 8d5fe64e48a08b12b453a9d9957b12349bb274d8ffb1e6745a22c4470a926d0e
    • Instruction Fuzzy Hash: 39E0683AF0411867CB00EB68D804CBEB76D9FD4114B060016EA2493258DFF0EE2586E0
    Function 6D15EDEE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25threadCOMMON
    Download Yara Rule
    APIs
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D15EE0C
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D15EE1A
    • Concurrency::details::UMSThreadInternalContext::NotifyBlocked.LIBCMT ref: 6D15EE29
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: BlockedConcurrency::details::Context::Exception@8InternalNotifyThreadThrowstd::invalid_argument::invalid_argument
    • String ID: pThreadProxy
    • API String ID: 790799-3651400591
    • Opcode ID: 3481eea8477fc9315d3958cdfeb914f3d4b14be67fa81c9b80f880389cc761e5
    • Instruction ID: 537be42a2be7ff3a61fc727d89e3292357abd4236ab0b02c38aa9117c1b5b8e6
    • Opcode Fuzzy Hash: 3481eea8477fc9315d3958cdfeb914f3d4b14be67fa81c9b80f880389cc761e5
    • Instruction Fuzzy Hash: C5E04872D0420C6BCB04EEA5DC04CA9776CEB14214F404166FD3497505DBB1EB24C6D1
    Function 6D185D04 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: __alldvrm$_strrchr
    • String ID:
    • API String ID: 1036877536-0
    • Opcode ID: ff61b7353fc5a7b9897efb58157ca1e6820c38d9b8ab8d2d828904e164474c16
    • Instruction ID: 71c4f261e17d8354e2dbc133a4a6bacc5ea3af1c76c2325b77ea5e900599b9a4
    • Opcode Fuzzy Hash: ff61b7353fc5a7b9897efb58157ca1e6820c38d9b8ab8d2d828904e164474c16
    • Instruction Fuzzy Hash: 69A167319583869FF712CF68C890BBEFBE5EF22304F154169E5869B286C3B48941CF50
    Function 6D18D786 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,68E85006,6D170C1D,00000000,00000000,6D17779F,?,6D17779F,?,00000001,6D170C1D,68E85006,00000001,6D17779F,6D17779F), ref: 6D18D7D3
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 6D18D85C
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6D18D86E
    • __freea.LIBCMT ref: 6D18D877
      • Part of subcall function 6D181CB6: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,6D19398A,00000001,00000000,?,6D18A7C9,00000001,00000004,00000000,00000001,?,?,6D181278), ref: 6D181CE8
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ByteCharMultiWide$AllocHeapStringType__freea
    • String ID:
    • API String ID: 573072132-0
    • Opcode ID: ba52951cf785362b4b71cecadf7f98c64a3d0713b243a78c97f42d69183a604d
    • Instruction ID: 9bed59fc13ae3992a12f7838486e10e1c254351d4a8faae3e703fdfd1fc3f19c
    • Opcode Fuzzy Hash: ba52951cf785362b4b71cecadf7f98c64a3d0713b243a78c97f42d69183a604d
    • Instruction Fuzzy Hash: B831C372A0021AAFDF15CF64DC41EAF3BA5EF92354F094129EC14D7259EBB5C950CBA0
    Function 6D14F676 Relevance: 6.1, APIs: 4, Instructions: 87COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 6D14F67D
    • Concurrency::event::wait_for_multiple.LIBCONCRT ref: 6D14F740
    • __freea.LIBCMT ref: 6D14F748
    • Concurrency::event::wait.LIBCONCRT ref: 6D14F757
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::event::waitConcurrency::event::wait_for_multipleH_prolog3___freea
    • String ID:
    • API String ID: 3676813913-0
    • Opcode ID: d31e0e2e2c61c51006eed53d56c2457302483bd9f50874363c3b40e11e2f844d
    • Instruction ID: ef61cbc7d8fde5ada34984caa1587a65df913b1142c66eb0ded92c656c27564d
    • Opcode Fuzzy Hash: d31e0e2e2c61c51006eed53d56c2457302483bd9f50874363c3b40e11e2f844d
    • Instruction Fuzzy Hash: AC21F875A141038BDB088F24CC519AE77A6AF51315B51C639DA22DB38DEBF8D885C750
    Function 6D1594EF Relevance: 6.1, APIs: 4, Instructions: 71COMMON
    Download Yara Rule
    APIs
    • SetEvent.KERNEL32(?,00000000), ref: 6D159538
    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 6D159520
      • Part of subcall function 6D14DF65: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 6D14DF86
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D15956B
    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 6D159593
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
    • String ID:
    • API String ID: 2630251706-0
    • Opcode ID: 8f51d68f175fbe7405433c2296d4dbfd988b91d92e17d2f71c91f188815dddcc
    • Instruction ID: 7f93a9086ae18580769fbbf1a22dd4e9a95ee5e0a58034d9f1e893cf04af360b
    • Opcode Fuzzy Hash: 8f51d68f175fbe7405433c2296d4dbfd988b91d92e17d2f71c91f188815dddcc
    • Instruction Fuzzy Hash: 91117DB1B042006BCF009F75DCA4D7DBB69EF85324F068066EB19DB299CFF49D228691
    Function 6D17F41D Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
    Download Yara Rule
    APIs
    • CreateThread.KERNEL32(00000000,?,6D17F154,00000000,00000004,00000000), ref: 6D17F469
    • GetLastError.KERNEL32 ref: 6D17F475
    • __dosmaperr.LIBCMT ref: 6D17F47C
    • ResumeThread.KERNEL32(00000000), ref: 6D17F49A
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Thread$CreateErrorLastResume__dosmaperr
    • String ID:
    • API String ID: 173952441-0
    • Opcode ID: 18c43bd6f8c24c80d02bf8efac3ae31f5e1248dfe751ee1781815308f31a7f24
    • Instruction ID: 34f5332bb26e44f78d9f1190f4dd891d468c7ac6a388c5410a82693203680427
    • Opcode Fuzzy Hash: 18c43bd6f8c24c80d02bf8efac3ae31f5e1248dfe751ee1781815308f31a7f24
    • Instruction Fuzzy Hash: 4901F9725181157BD7318BA5DC04BAF7B78EF82374F118215FA35961E9CBF08501C7A0
    Function 6D187B6A Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,00000001,?,6D187B11,?,00000001,00000000,?,?,6D1887E3,00000008,GetCurrentPackageId), ref: 6D187B9C
    • GetLastError.KERNEL32(?,6D187B11,?,00000001,00000000,?,?,6D1887E3,00000008,GetCurrentPackageId,6D1A5980,6D1A5988,00000000), ref: 6D187BA8
    • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,6D187B11,?,00000001,00000000,?,?,6D1887E3,00000008,GetCurrentPackageId,6D1A5980,6D1A5988,00000000), ref: 6D187BB6
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID:
    • API String ID: 3177248105-0
    • Opcode ID: 2ad78ecc7a0727448336f3c9f42b80fc2dbb90b85a8b7c32ee7aff571325760b
    • Instruction ID: f6b91df42d4a4c0e1984763274907ed30cd87aaceff1264d074d61713bf9fa76
    • Opcode Fuzzy Hash: 2ad78ecc7a0727448336f3c9f42b80fc2dbb90b85a8b7c32ee7aff571325760b
    • Instruction Fuzzy Hash: 27012432B592279BCB118A699C54F9B7BA9AF4A7A07214521E815D324AC7B0DC00CEE0
    Function 6D15E27F Relevance: 6.1, APIs: 4, Instructions: 51COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 6D15E299
    • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 6D15E2AD
    • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 6D15E2C5
    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 6D15E2DF
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
    • String ID:
    • API String ID: 78362717-0
    • Opcode ID: 8df2fbeee73f1efe25f26e58a2ef9dcb0b9890dd514e7e0ae68e512d00cad637
    • Instruction ID: 6d8e8f4c66e3b3932d17ad7c1a9c37fabe92788d579be8ac9a1eb902ec78e87c
    • Opcode Fuzzy Hash: 8df2fbeee73f1efe25f26e58a2ef9dcb0b9890dd514e7e0ae68e512d00cad637
    • Instruction Fuzzy Hash: 9A01F7B2A04114A7CB119E55C950EAF7769AB55310F010056EE34DB288DAF5AE2186E1
    Function 6D15A799 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 6D15A7D8
    • List.LIBCMT ref: 6D15A81C
      • Part of subcall function 6D14DB39: SafeRWList.LIBCONCRT ref: 6D14DB46
    • SafeRWList.LIBCONCRT ref: 6D15A83B
    • Concurrency::details::_CancellationTokenState::_DeregisterCallback.LIBCONCRT ref: 6D15A851
    • Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 6D15A858
    • Concurrency::details::ContextBase::ClearAliasTable.LIBCMT ref: 6D15A881
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::_List$Safe$AcquireAliasBase::CallbackCancellationClearConcurrency::details::ContextCounter::_DeregisterLock::_ReaderReleaseState::_TableTokenWriteWriter
    • String ID:
    • API String ID: 1950547777-0
    • Opcode ID: e8d9599b75e060284de5f5b8d013b681a4d6a85b404dbf8dd9cf28fa6626e9a9
    • Instruction ID: bbd46112fa777cdbc4f22859559c21a7ccf32d5e83fa82a1498d10549c956fb0
    • Opcode Fuzzy Hash: e8d9599b75e060284de5f5b8d013b681a4d6a85b404dbf8dd9cf28fa6626e9a9
    • Instruction Fuzzy Hash: 6A215C70B483148FEF60DF24C890B58B7B1BF05325F0281D8C9695B29ACBB4AD85CF11
    Function 6D13CDFB Relevance: 6.0, APIs: 4, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 6D141056
    • Concurrency::critical_section::scoped_lock::scoped_lock.LIBCONCRT ref: 6D141069
      • Part of subcall function 6D13F6FB: __EH_prolog3.LIBCMT ref: 6D13F702
      • Part of subcall function 6D13F6FB: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 6D13F723
      • Part of subcall function 6D13F6FB: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 6D13F731
    • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 6D141082
    • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 6D1410C7
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::H_prolog3LockNode::Queue$Acquire_lockConcurrency::critical_section::_Concurrency::critical_section::scoped_lock::scoped_lockConcurrency::details::_EventLock::_NodeReaderSatisfyScoped_lockScoped_lock::~_WaitWriter
    • String ID:
    • API String ID: 2889992684-0
    • Opcode ID: 23073fcd8f7dce732afc56168ac42a0b97436d28bebc7922bb54220b0d10de75
    • Instruction ID: 9c69710f8a4e424e45490abf1f910a80988b13ddf3daa1cd6a7e3e4e05854522
    • Opcode Fuzzy Hash: 23073fcd8f7dce732afc56168ac42a0b97436d28bebc7922bb54220b0d10de75
    • Instruction Fuzzy Hash: ED018035A442668BDB068B94C5907BDB3B2BF94314F178054C6216B34CDBF4A915CB92
    Function 6D159C00 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 6D159C07
    • __ExceptionPtrCopy.LIBCPMT ref: 6D159C20
      • Part of subcall function 6D198DE7: _Reset.LIBCPMT ref: 6D198DFB
      • Part of subcall function 6D198E74: shared_ptr.LIBCPMT ref: 6D198E7C
    • __ExceptionPtrCopy.LIBCPMT ref: 6D159C50
    • std::rethrow_exception.LIBCMT ref: 6D159C57
      • Part of subcall function 6D159CF8: __EH_prolog3.LIBCMT ref: 6D159CFF
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: CopyExceptionH_prolog3$Resetshared_ptrstd::rethrow_exception
    • String ID:
    • API String ID: 961941516-0
    • Opcode ID: 85a3cfda371d65c6f36747077d2d019e3f893729041cfea592b67e1a50293af7
    • Instruction ID: 1b33add6eb75261d31fbd2be1e4887a24b729f645c448d72e9459f78fc290844
    • Opcode Fuzzy Hash: 85a3cfda371d65c6f36747077d2d019e3f893729041cfea592b67e1a50293af7
    • Instruction Fuzzy Hash: B2F0C8F28496156BDB08A774AC45B9E73A85F24238F130315F731AB0C8DFE8AA5142E6
    Function 6D14F046 Relevance: 6.0, APIs: 4, Instructions: 42COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 6D14F077
    • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 6D14F087
    • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 6D14F097
    • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 6D14F0AB
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Compare_exchange_acquire_4std::_
    • String ID:
    • API String ID: 3973403980-0
    • Opcode ID: 4764afb4e241dc771925f74fdb69fc2feb1c07f55e763448c8b7a9a21581d4c9
    • Instruction ID: adbf88a70f78372bd8f84d709d58e542fda6835759d877b5a6c57365c95a2349
    • Opcode Fuzzy Hash: 4764afb4e241dc771925f74fdb69fc2feb1c07f55e763448c8b7a9a21581d4c9
    • Instruction Fuzzy Hash: 7BF0C43640810EBBCF125EE4DD019AE3B27FB95264B15C421FE3885678DBB2C571AB52
    Function 6D1439A9 Relevance: 6.0, APIs: 4, Instructions: 41threadCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 6D1439C2
      • Part of subcall function 6D1420B7: ___crtGetTimeFormatEx.LIBCMT ref: 6D1420CD
      • Part of subcall function 6D1420B7: Concurrency::details::ReferenceLoadLibrary.LIBCMT ref: 6D1420EC
    • GetLastError.KERNEL32 ref: 6D1439D2
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D1439F8
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D143A06
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::LibraryLoad$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastReferenceThreadThrowTime___crt
    • String ID:
    • API String ID: 2079398795-0
    • Opcode ID: 7efd4c2dc02dd4e62e2d3acf6302712aac4cb6a3c25cc9dfb4c0025a04079807
    • Instruction ID: 7ad26abcfc2a45fd29e433f2a409e95909b72d540e061d0171053e588ebf0029
    • Opcode Fuzzy Hash: 7efd4c2dc02dd4e62e2d3acf6302712aac4cb6a3c25cc9dfb4c0025a04079807
    • Instruction Fuzzy Hash: 97F02E72E4821666D320F6F68C0AFBF37ECEB11350F51886AF904E6089FAD5D41146B5
    Function 6D14FFFD Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
    Download Yara Rule
    APIs
    • Concurrency::details::ContextBase::PopGoverningTokenState.LIBCMT ref: 6D150013
      • Part of subcall function 6D14D300: Concurrency::details::_TaskCollectionBase::_GetTokenState.LIBCONCRT ref: 6D14D31B
      • Part of subcall function 6D14D300: Concurrency::details::_TaskCollectionBase::_GetTokenState.LIBCONCRT ref: 6D14D33E
    • Concurrency::details::_CancellationTokenState::_DeregisterCallback.LIBCONCRT ref: 6D150023
      • Part of subcall function 6D14F50B: __EH_prolog3.LIBCMT ref: 6D14F512
      • Part of subcall function 6D14F50B: std::_Cnd_initX.LIBCPMT ref: 6D14F522
      • Part of subcall function 6D14F50B: Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::remove.LIBCONCRT ref: 6D14F538
      • Part of subcall function 6D14F50B: Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 6D14F547
      • Part of subcall function 6D14F50B: std::_Cnd_initX.LIBCPMT ref: 6D14F558
      • Part of subcall function 6D14F50B: atomic_compare_exchange.LIBCONCRT ref: 6D14F56E
      • Part of subcall function 6D14F50B: GetCurrentThreadId.KERNEL32 ref: 6D14F588
      • Part of subcall function 6D14F50B: std::_Cnd_initX.LIBCPMT ref: 6D14F5A4
      • Part of subcall function 6D14F50B: std::_Cnd_initX.LIBCPMT ref: 6D14F5C6
    • Concurrency::details::_StructuredTaskCollection::_Abort.LIBCMT ref: 6D150035
    • Concurrency::details::ContextBase::IsCancellationVisible.LIBCMT ref: 6D150052
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::details::_Token$Cnd_initstd::_$CancellationStateTask$Base::Base::_CollectionConcurrency::details::Context$AbortCallbackCollection::_Container::removeCounter::_CurrentDeregisterGoverningH_prolog3RegistrationReleaseState::State::_StructuredThreadVisibleatomic_compare_exchange
    • String ID:
    • API String ID: 3566614368-0
    • Opcode ID: 594be1761150261b7258c7652c1a9222c8b8971593e248d9a62edc0f524c2398
    • Instruction ID: 3cca7e373bd7613f9ac5613fab07aedb1a11a56d3e61cd2c8066ec40d207e088
    • Opcode Fuzzy Hash: 594be1761150261b7258c7652c1a9222c8b8971593e248d9a62edc0f524c2398
    • Instruction Fuzzy Hash: 27016DB0A04106DBDF01CFA1C4907BCB3B5BF5034CF018128D93167299C7B8AA96CB91
    Function 6D15F16A Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • Concurrency::details::UMSThreadProxy::SpinOnAndReturnBlockingType.LIBCMT ref: 6D15F176
    • SetEvent.KERNEL32(?,00000000,00000000,?,6D15EA66,-00000068,0000000C,6D15B7EE), ref: 6D15F186
    • InterlockedPushEntrySList.KERNEL32(?,?,?,?,?,00000000,00000000,?,6D15EA66,-00000068,0000000C,6D15B7EE), ref: 6D15F1A5
    • SetEvent.KERNEL32(?,?,?,?,00000000,00000000,?,6D15EA66,-00000068,0000000C,6D15B7EE), ref: 6D15F1C2
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Event$BlockingConcurrency::details::EntryInterlockedListProxy::PushReturnSpinThreadType
    • String ID:
    • API String ID: 792890875-0
    • Opcode ID: 481bb6642c76884c7f0bede07837adcf03e5f79a204fe529532c9e8b94419e39
    • Instruction ID: 1b08731b6705611243bd94b007c4c0243675d64c56b7cb4691f3a4de4d5bdea1
    • Opcode Fuzzy Hash: 481bb6642c76884c7f0bede07837adcf03e5f79a204fe529532c9e8b94419e39
    • Instruction Fuzzy Hash: 4FF0B4B1144615ABCB049BA5D944BDAB7BDFF1B321F05442BE227C3504CBF4E4618B91
    Function 6D15F2F2 Relevance: 6.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 6D15F307
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 6D15F313
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D15F334
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D15F342
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow
    • String ID:
    • API String ID: 1622984082-0
    • Opcode ID: 2393fd670a6f71d7fc70022ca646187ffaf7b0cf8166407da3d4794238387003
    • Instruction ID: c4b5f2c3e7b902aa67dbfc90b2463dabd1d3878f598dfbac23fa161ab074091a
    • Opcode Fuzzy Hash: 2393fd670a6f71d7fc70022ca646187ffaf7b0cf8166407da3d4794238387003
    • Instruction Fuzzy Hash: 0EF0A7F16142269BA700DBB99D04EBF77FCFB10241740486AF921D3204EBB4D810C7B5
    Function 6D141C79 Relevance: 6.0, APIs: 4, Instructions: 31registryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RegisterWaitForSingleObject.KERNEL32(?,00000000,6D15936D,000000A4,000000FF,0000000C), ref: 6D141C90
    • GetLastError.KERNEL32(?,?,?,?,6D1498FE,?,?,?,?,00000000,?,?,Lock already taken,?,00000000), ref: 6D141C9A
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D141CB9
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D141CC7
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
    • String ID:
    • API String ID: 3803302727-0
    • Opcode ID: dcfa4284ef6cff868676e9386ae98093d75694d58b0899f346632a6fcc61c43f
    • Instruction ID: d86387f7d8d2639237c00143d979e31192a8db776c406213fd4624e2da729e64
    • Opcode Fuzzy Hash: dcfa4284ef6cff868676e9386ae98093d75694d58b0899f346632a6fcc61c43f
    • Instruction Fuzzy Hash: FCF0A776A0410DE7DF01DFE1DE04FEE37B8BB00250F148254F915E5198D7B0D660AB61
    Function 6D14F10B Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 6D14F114
      • Part of subcall function 6D13F9A6: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 6D148F31
    • Concurrency::details::ContextBase::CancelCollection.LIBCONCRT ref: 6D14F138
    • Concurrency::details::_TaskCollectionBase::_FinishCancelState.LIBCMT ref: 6D14F149
    • Concurrency::details::ContextBase::CancelStealers.LIBCMT ref: 6D14F152
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Base::Concurrency::details::$CancelContextScheduler$Collection$Base::_Concurrency::details::_CurrentDefaultFinishStateStealersTask
    • String ID:
    • API String ID: 218105897-0
    • Opcode ID: 4a7d1cd0eac80e93f880abbe3cb95ef2f316effa45e380172c8977d09b81cfad
    • Instruction ID: dd47ef5d2ea5419db39f3ff19f62d240ff01685b452c4c0eede2867767cf8a8b
    • Opcode Fuzzy Hash: 4a7d1cd0eac80e93f880abbe3cb95ef2f316effa45e380172c8977d09b81cfad
    • Instruction Fuzzy Hash: 75F0E5B4304A204FEA119A24C950F5A33A59F84A18F02C42DD67E97389CBE4E802CB42
    Function 6D14A803 Relevance: 6.0, APIs: 4, Instructions: 28memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 6D141D81: TlsAlloc.KERNEL32(?,6D13F984), ref: 6D141D87
      • Part of subcall function 6D141D81: GetLastError.KERNEL32 ref: 6D141D92
      • Part of subcall function 6D141D81: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D141DAE
      • Part of subcall function 6D141D81: __CxxThrowException@8.LIBVCRUNTIME ref: 6D141DBC
    • TlsAlloc.KERNEL32(?,6D13F984), ref: 6D1599F0
    • GetLastError.KERNEL32 ref: 6D159A00
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D159A1C
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D159A2A
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
    • String ID:
    • API String ID: 3103352999-0
    • Opcode ID: 9f94af780497189a887c6bfceedbf2a326ca7d5a5417d1fc20b05c49af77f538
    • Instruction ID: 278c05692e32b1fe83353888bbef3a3455f8aa6c0a0c8d066f3dd485dd04db65
    • Opcode Fuzzy Hash: 9f94af780497189a887c6bfceedbf2a326ca7d5a5417d1fc20b05c49af77f538
    • Instruction Fuzzy Hash: FEE02BF0C481158B8B00BBB59C286BE33B8B712360B014B65E536D1198EBF9805497B3
    Function 6D15C71E Relevance: 6.0, APIs: 4, Instructions: 27threadCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • SetThreadPriority.KERNEL32(?,?), ref: 6D15C72E
    • GetLastError.KERNEL32 ref: 6D15C738
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D15C756
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D15C764
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
    • String ID:
    • API String ID: 4286982218-0
    • Opcode ID: cd22b303b3cad3ccd1ed753c2e6af2cfc35a9babe84fd48e4b23cde283427b61
    • Instruction ID: a336a7b53e3cdef9c2ae73da39cf49a04a5bfed51f31eeebd6918eb7b4eb9cbb
    • Opcode Fuzzy Hash: cd22b303b3cad3ccd1ed753c2e6af2cfc35a9babe84fd48e4b23cde283427b61
    • Instruction Fuzzy Hash: 10E02BF160411A9B9700DFB5CD04ABF77BCFB10200B008429F911D5004EBB5D4218BA1
    Function 6D141BB0 Relevance: 6.0, APIs: 4, Instructions: 26COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,6D13F984), ref: 6D141BBA
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,6D13F984), ref: 6D141BC4
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D141BE3
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D141BF1
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
    • String ID:
    • API String ID: 3016159387-0
    • Opcode ID: 7c111cbb7dcb30d9a5b8219266f91d641aec89e8428ef00ebb6c63fa565ed4fa
    • Instruction ID: 3e725e0b144e923a45d20d68b29767cc95de9bdebccd5777b5ca3fcfde1e6475
    • Opcode Fuzzy Hash: 7c111cbb7dcb30d9a5b8219266f91d641aec89e8428ef00ebb6c63fa565ed4fa
    • Instruction Fuzzy Hash: 90E09231A0810E978B04EBF28A08AAF73BCAB00245B918065E901E2108FFA4DA119772
    Function 6D141D10 Relevance: 6.0, APIs: 4, Instructions: 25threadCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • SetThreadPriority.KERNEL32(?,?), ref: 6D141D1C
    • GetLastError.KERNEL32 ref: 6D141D26
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D141D42
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D141D50
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
    • String ID:
    • API String ID: 4286982218-0
    • Opcode ID: 5d9ef00b6edd8427e50f21ac4f166b2fb07661969d0a8ba48b4427ecba8fe6f0
    • Instruction ID: b20113feeb570206b6a66871a09e2e9653f171198c7c385570e3de0364b2b0da
    • Opcode Fuzzy Hash: 5d9ef00b6edd8427e50f21ac4f166b2fb07661969d0a8ba48b4427ecba8fe6f0
    • Instruction Fuzzy Hash: 48E0DFB1A0401EA78B00AFB2CD08BBE37BCBB00240B44C829F919D4058EBB1D5609BA1
    Function 6D141DDE Relevance: 6.0, APIs: 4, Instructions: 25COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • TlsSetValue.KERNEL32(00000000,?,00000000,?,00000000,?,6D13F984,?,?,?,00000000,?,?,Lock already taken,?,00000000), ref: 6D141DEA
    • GetLastError.KERNEL32(?,?,?,00000000,?,?,Lock already taken,?,00000000), ref: 6D141DF4
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D141E10
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D141E1E
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
    • String ID:
    • API String ID: 1964976909-0
    • Opcode ID: af83dc253165e894c40e0048fb8f5220bafbf1895ad6dbee2229459f1f7cc7c9
    • Instruction ID: 57597652b9abd4aed3aca9c7509c65183b8f6ff16a41799e602c6df21533a464
    • Opcode Fuzzy Hash: af83dc253165e894c40e0048fb8f5220bafbf1895ad6dbee2229459f1f7cc7c9
    • Instruction Fuzzy Hash: 5FE0D87554402997DB01ABB2CD04BBF3B78BB00282F44C454F915E5059EBB1D46097A1
    Function 6D141D81 Relevance: 6.0, APIs: 4, Instructions: 23memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • TlsAlloc.KERNEL32(?,6D13F984), ref: 6D141D87
    • GetLastError.KERNEL32 ref: 6D141D92
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D141DAE
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D141DBC
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
    • String ID:
    • API String ID: 3103352999-0
    • Opcode ID: 0e93588085b11c90ccd9c4ccf73ddc53d5b031db739801b33c1292b69efa18e4
    • Instruction ID: 25a6bd98722fc1c0354c67caefe050ad43af85455cc9db3c5a67188ede0a5bbb
    • Opcode Fuzzy Hash: 0e93588085b11c90ccd9c4ccf73ddc53d5b031db739801b33c1292b69efa18e4
    • Instruction Fuzzy Hash: C1E02671E04019838700E7B28D0C6BF3378BB00250B448B14F525C0088DBE0C0504662
    Function 6D1599E6 Relevance: 6.0, APIs: 4, Instructions: 23memoryCOMMON
    Download Yara Rule
    APIs
    • TlsAlloc.KERNEL32(?,6D13F984), ref: 6D1599F0
    • GetLastError.KERNEL32 ref: 6D159A00
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 6D159A1C
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D159A2A
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
    • String ID:
    • API String ID: 3103352999-0
    • Opcode ID: 49fc21fdb8b8fcf79fe42cafa8f9a7351267626ab475660ea61b2bdf0afea327
    • Instruction ID: b1cf763de59dee388f45fd5b543ab08e613b961eb1fc6bb04becd33512b6a67e
    • Opcode Fuzzy Hash: 49fc21fdb8b8fcf79fe42cafa8f9a7351267626ab475660ea61b2bdf0afea327
    • Instruction Fuzzy Hash: F2E026F08042658BCB01B7B58C286BF37BCBA12260B440A65E132D6099EBE9C419DB72
    Function 6D17D485 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 266COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: __aulldvrm
    • String ID: +$-
    • API String ID: 1302938615-2137968064
    • Opcode ID: 80b52b027906a629a921d463302f6dd2bbd2df091626e8df1526b1821aa46d80
    • Instruction ID: cda16c8a8609daefac4afddf4166772963718912560ca0f0efd10bafc342fa92
    • Opcode Fuzzy Hash: 80b52b027906a629a921d463302f6dd2bbd2df091626e8df1526b1821aa46d80
    • Instruction Fuzzy Hash: FF91C670D4414EDBDF31CE68C8506ED7BB1BFD6328F15825AE864A72A9D3F095028B61
    Function 6D18DE20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
    Download Yara Rule
    APIs
    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,6D18E0C1,?,00000050,?,?,?,?,?), ref: 6D18DEFB
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ACP$OCP
    • API String ID: 0-711371036
    • Opcode ID: 9c4906bb3143aab272c95ecf2fb33b473e100ae95791b484867e95091df407ce
    • Instruction ID: cad634e7400d1f04ac4915cfdfa97a5b5b367354346ba65e6f7225d9b64c38bb
    • Opcode Fuzzy Hash: 9c4906bb3143aab272c95ecf2fb33b473e100ae95791b484867e95091df407ce
    • Instruction Fuzzy Hash: D121B862A98306AEE714CF58C900BA77266AFF1B50F478466E905D710EFBF6DD00CB90
    Function 6D19862D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
    Download Yara Rule
    APIs
    • DecodePointer.KERNEL32(?,02C15E31,?,?,?,6D19F8BA,000000FF), ref: 6D19868B
    • _free.LIBCMT ref: 6D1986E4
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: DecodePointer_free
    • String ID: csm
    • API String ID: 4139015823-1018135373
    • Opcode ID: 54b0b3338f2397bdcf4038d116ef9ab66ecfd76ea3b520d6255cb2c836daf0f8
    • Instruction ID: 0935131e534058cb8e22885a433572d808818172e397f1351361f387df806bd0
    • Opcode Fuzzy Hash: 54b0b3338f2397bdcf4038d116ef9ab66ecfd76ea3b520d6255cb2c836daf0f8
    • Instruction Fuzzy Hash: F821F6756082479BCF058F25C850B2AF7B5FF21315F55825AD4158F699CBF0E890CB91
    Function 6D188582 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: _abort
    • String ID: SetThreadStackGuarantee$SystemFunction036
    • API String ID: 1888311480-2910880125
    • Opcode ID: 02253cfb563b7b019bdbf9181b7d2c4d7a07b37401d421ce2bb50710c62a76c4
    • Instruction ID: 8d21cdbf5b33ddf5e20d5f722642c2a5b8efb899206e64026b802c632d229b70
    • Opcode Fuzzy Hash: 02253cfb563b7b019bdbf9181b7d2c4d7a07b37401d421ce2bb50710c62a76c4
    • Instruction Fuzzy Hash: FF112535A0D21C77CB20AB259C04DBFBFA1CF44611B090166FD055B21BEAF04E1086D4
    Function 6D17F5FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(msvcrt.dll), ref: 6D17F61D
    • GetProcAddress.KERNEL32(00000000,000001BF), ref: 6D17F639
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: msvcrt.dll
    • API String ID: 1646373207-370904613
    • Opcode ID: e85070e8e35551cdff57cf3e68119d87ab59071052fa3264f91418a2aa22e2ad
    • Instruction ID: 61b84f85c0aca7fc09c56f8fb8120d2dc86e096f566825755f431ad2820682df
    • Opcode Fuzzy Hash: e85070e8e35551cdff57cf3e68119d87ab59071052fa3264f91418a2aa22e2ad
    • Instruction Fuzzy Hash: 10F0A4316082299F8B168B399814A1E37F5FF5A3807110069E40ADF26CEFF0880186D1
    Function 6D15203C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
    Download Yara Rule
    APIs
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D152084
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D152092
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
    • String ID: pContext
    • API String ID: 1687795959-2046700901
    • Opcode ID: 4e671e93b05cf536ac0fbfed18d24e159cca27516f4e54ae0bf456911dfa00b0
    • Instruction ID: 2a72d5f1881b879e7841c8a1952c74aa097b4f8905f8e77ef9a3bb086b6342e5
    • Opcode Fuzzy Hash: 4e671e93b05cf536ac0fbfed18d24e159cca27516f4e54ae0bf456911dfa00b0
    • Instruction Fuzzy Hash: 8AF0E976B04128578B04ABA9DC50C6EB77D9F941647060166EE10D7359DFB0ED1186E1
    Function 6D15A998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
    Download Yara Rule
    APIs
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D15A9DE
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D15A9EC
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
    • String ID: pScheduler
    • API String ID: 1687795959-923244539
    • Opcode ID: 30ddcf948204efa0c591b65c1fad377fc681381cf09d585d2cb02cef81143ccf
    • Instruction ID: a23e3e364035d961a0e5c32d3e1b245fdefc7a7cd34a6bf751d45780d9d01097
    • Opcode Fuzzy Hash: 30ddcf948204efa0c591b65c1fad377fc681381cf09d585d2cb02cef81143ccf
    • Instruction Fuzzy Hash: 2EF05C759441286BC718EB94D844CBD73786F12200746C11EE6715354DDBF4BE55C7A0
    Function 6D1568DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
    Download Yara Rule
    APIs
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D1568FC
    • __CxxThrowException@8.LIBVCRUNTIME ref: 6D15690A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
    • String ID: pThreadProxy
    • API String ID: 1687795959-3651400591
    • Opcode ID: 94b94325d9ac358827ac3c6367c2f2c405d3fd0f18f4d09fa6a943442ea1073c
    • Instruction ID: 9dcd3da7d7e358c1f6dddc89b8b5b3b3718d8734989094dce08701b94df6363c
    • Opcode Fuzzy Hash: 94b94325d9ac358827ac3c6367c2f2c405d3fd0f18f4d09fa6a943442ea1073c
    • Instruction Fuzzy Hash: 0CD05B71D0424C5BCB14DBB9DC05DA977A89B14204F4041B6EE24D710AEB71D514CAD1
    Function 6D16AB3A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,?,?,?), ref: 6D16ABD0
    • GetLastError.KERNEL32 ref: 6D16ABDE
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 6D16AC39
    Memory Dump Source
    • Source File: 00000003.00000002.2200090593.000000006D121000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D120000, based on PE: true
    • Associated: 00000003.00000002.2200044347.000000006D120000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200179198.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200218441.000000006D1B3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200242204.000000006D1B6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200255976.000000006D1B7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200277085.000000006D1B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2200298928.000000006D1BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d120000_rundll32.jbxd
    Similarity
    • API ID: ByteCharMultiWide$ErrorLast
    • String ID:
    • API String ID: 1717984340-0
    • Opcode ID: 8c0ac46d7668a270102de088b1fa30fd3304ddb24bff50a99427da237bcfa2d4
    • Instruction ID: bec95507aad735f64455d824c7e7b06a019e1765ed62723649ccc95f78d3d0b4
    • Opcode Fuzzy Hash: 8c0ac46d7668a270102de088b1fa30fd3304ddb24bff50a99427da237bcfa2d4
    • Instruction Fuzzy Hash: AA413A30A082A3AFCB128F64D844FBE7BB4EF52310F118169E95997199DBF0C921CB70