Edit tour

Windows Analysis Report
D3S2SyPdiw.dll

Overview

General Information

Sample name:	D3S2SyPdiw.dll renamed because original name is a hash value
Original sample name:	000e80b5f82b0a0a7c53a136c7066b8ad5661fd02f642ad8fe64f1287d52f92c.dll
Analysis ID:	1544790
MD5:	234fa81ac8057a55e9678cf0463a6ba6
SHA1:	49433e972cd1322e28204405947e19138a872e55
SHA256:	000e80b5f82b0a0a7c53a136c7066b8ad5661fd02f642ad8fe64f1287d52f92c
Tags:	2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4092 cmdline: loaddll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6472 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 5404 cmdline: rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 1976 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 820 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 2316 cmdline: rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 6608 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 832 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 5688 cmdline: rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3596 cmdline: rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1672 cmdline: rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 5704 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 856 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 1560 cmdline: rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 320 cmdline: rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5560 cmdline: rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3752 cmdline: rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellSpell MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7056 cmdline: rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellInit MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 2172 cmdline: rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellFree MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4724 cmdline: rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4676 cmdline: rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1124 cmdline: rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD1830		3_2_6CBD1830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE61830		13_2_6CE61830

Source: D3S2SyPdiw.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: D3S2SyPdiw.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	3_2_6CBA2CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	3_2_6CBA2CA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	3_2_6CBBCEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	3_2_6CBC9030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	3_2_6CBCA360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	13_2_6CE32CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	13_2_6CE32CA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	13_2_6CE4CEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	13_2_6CE59030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	13_2_6CE5A360

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD2A90 NtCreateWaitCompletionPacket,	3_2_6CBD2A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD1A70 NtCreateWaitCompletionPacket,	3_2_6CBD1A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,	3_2_6CBD1570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,	3_2_6CBD11F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE62A90 NtCreateWaitCompletionPacket,	13_2_6CE62A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE61A70 NtCreateWaitCompletionPacket,	13_2_6CE61A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE61570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,	13_2_6CE61570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE611F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,	13_2_6CE611F0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBA2CA0	3_2_6CBA2CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBA2CA6	3_2_6CBA2CA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC26D40	3_2_6CC26D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCAD50	3_2_6CBCAD50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBFBD40	3_2_6CBFBD40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBABE90	3_2_6CBABE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC24E40	3_2_6CC24E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBDCF90	3_2_6CBDCF90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBF5FF0	3_2_6CBF5FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC1E860	3_2_6CC1E860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC26860	3_2_6CC26860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBFD800	3_2_6CBFD800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB59F0	3_2_6CBB59F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC0A992	3_2_6CC0A992
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCD9C5	3_2_6CBCD9C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC25AF0	3_2_6CC25AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB0AF0	3_2_6CBB0AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCCA30	3_2_6CBCCA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBAFBC0	3_2_6CBAFBC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCBB10	3_2_6CBCBB10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC37B10	3_2_6CC37B10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC0344F	3_2_6CC0344F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC3400	3_2_6CBC3400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBE6470	3_2_6CBE6470
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC1440	3_2_6CBC1440
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC296C0	3_2_6CC296C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBF8690	3_2_6CBF8690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC22680	3_2_6CC22680
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCC6D0	3_2_6CBCC6D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC6630	3_2_6CBC6630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB80A0	3_2_6CBB80A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCC080	3_2_6CBCC080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBA90F0	3_2_6CBA90F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBD6010	3_2_6CBD6010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC1D010	3_2_6CC1D010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCD040	3_2_6CBCD040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBA32A0	3_2_6CBA32A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBCB2D0	3_2_6CBCB2D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBDE240	3_2_6CBDE240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC93F0	3_2_6CBC93F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC073A0	3_2_6CC073A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBDA320	3_2_6CBDA320
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE32CA0	13_2_6CE32CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE32CA6	13_2_6CE32CA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE8BD40	13_2_6CE8BD40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5AD50	13_2_6CE5AD50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE3BE90	13_2_6CE3BE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE85FF0	13_2_6CE85FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE6CF90	13_2_6CE6CF90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE8D800	13_2_6CE8D800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE459F0	13_2_6CE459F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5D9C5	13_2_6CE5D9C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE9A992	13_2_6CE9A992
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE40AF0	13_2_6CE40AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5CA30	13_2_6CE5CA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE3FBC0	13_2_6CE3FBC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5BB10	13_2_6CE5BB10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEC7B10	13_2_6CEC7B10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE76470	13_2_6CE76470
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE51440	13_2_6CE51440
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE9344F	13_2_6CE9344F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE53400	13_2_6CE53400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5C6D0	13_2_6CE5C6D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE88690	13_2_6CE88690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE56630	13_2_6CE56630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE390F0	13_2_6CE390F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE480A0	13_2_6CE480A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5C080	13_2_6CE5C080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5D040	13_2_6CE5D040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE66010	13_2_6CE66010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE5B2D0	13_2_6CE5B2D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE332A0	13_2_6CE332A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE6E240	13_2_6CE6E240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE593F0	13_2_6CE593F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE973A0	13_2_6CE973A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE6A320	13_2_6CE6A320

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CC06BB0 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CE96BB0 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CBD7410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CE67410 appears 691 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 820

Source: D3S2SyPdiw.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal48.mine.winDLL@35/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7632555f-bd42-4c19-8b71-ba2d96eeeb40

Jump to behavior

Source: D3S2SyPdiw.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarCreate

Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe	String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe	String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe	String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe	String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe	String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe	String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe	String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe	String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 820
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 832
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 856
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellSpell	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellFree	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SignalInitializeCrashReporting	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",GetInstallDetailsPayload	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarRecognize	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: D3S2SyPdiw.dll

Static PE information: Image base 0x6d8c0000 > 0x60000000

Source: D3S2SyPdiw.dll

Static file information: File size 1397248 > 1048576

Source: D3S2SyPdiw.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBA13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6CBA13E0

Source: D3S2SyPdiw.dll

Static PE information: real checksum: 0x15be84 should be: 0x15b335

Source: D3S2SyPdiw.dll

Static PE information: section name: .eh_fram

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0183AF34 push eax; retf	0_2_0183AF39
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_018803F6 push es; iretd	0_2_018803FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0543D28C push ebp; ret	11_2_0543D28D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0503AF38 push eax; retf	12_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C3D7C8 push ds; iretd	14_2_04C3D7C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C3C15B push es; retf	14_2_04C3C330
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C3D5B6 push ds; iretd	14_2_04C3D7C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C3AF34 push eax; retf	14_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04C3AF34 push eax; retf	16_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0503AF34 push eax; retf	17_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_050806B4 push edi; iretd	17_2_05080897
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0503C84D push esp; ret	20_2_0503C84E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0503AF34 push eax; retf	20_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0508042C push ebx; iretd	20_2_05080439
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_0543AF38 push eax; retf	21_2_0543AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_0548032C push edi; iretd	21_2_0548035B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05480000 push edi; iretd	21_2_0548035B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0503CB81 push esi; ret	23_2_0503CDA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0503AF34 push eax; retf	23_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_0483CD6D push edx; iretd	24_2_0483CD71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_0488036B push eax; retf	24_2_0488036A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_048801B6 push eax; retf	24_2_0488036A

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CC0C1E0 rdtscp

3_2_6CC0C1E0

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 0.8 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CC0C1E0 rdtscp

3_2_6CC0C1E0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBA13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6CBA13E0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBD1C90 RtlGetVersion,RtlGetCurrentPeb,

3_2_6CBD1C90

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Rundll32	OS Credential Dumping	2 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
D3S2SyPdiw.dll	5%	ReversingLabs

Domains and IPs

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544790
Start date and time:	2024-10-29 18:50:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	D3S2SyPdiw.dll renamed because original name is a hash value
Original Sample Name:	000e80b5f82b0a0a7c53a136c7066b8ad5661fd02f642ad8fe64f1287d52f92c.dll
Detection:	MAL
Classification:	mal48.mine.winDLL@35/0@0/0
EGA Information:	Successful, ratio: 13.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target loaddll32.exe, PID 4092 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 1124 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 1560 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 2172 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 320 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 3596 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 3752 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 4676 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 4724 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 5404 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 5560 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 5688 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 7056 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
VT rate limit hit for: D3S2SyPdiw.dll

Simulations

Behavior and APIs

Time	Type	Description
13:51:15	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetLastError, GetModuleHandleA, GetModuleHandleW, GetNativeSystemInfo, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetThreadContext, GetThreadLocale, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, PostQueuedCompletionStatus, RaiseFailFastException, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, lstrlenA

msvcrt.dll

__mb_cur_max, _amsg_exit, _beginthread, _errno, _initterm, _iob, _lock, _unlock, _wcsnicmp, abort, atoi, bsearch, calloc, fputc, free, fwrite, localeconv, malloc, mbstowcs, memcpy, memset, qsort, realloc, setlocale, strchr, strcmp, strerror, strlen, strncmp, strtol, vfprintf, wcslen, wcstombs

Exports

Name	Ordinal	Address
BarCreate	1	0x6d9546f0
BarDestroy	2	0x6d954970
BarFreeRec	3	0x6d954920
BarRecognize	4	0x6d9548d0
GetInstallDetailsPayload	5	0x6d954830
SignalInitializeCrashReporting	6	0x6d954880
SpellFree	7	0x6d954740
SpellInit	8	0x6d954790
SpellSpell	9	0x6d9547e0
_cgo_dummy_export	10	0x6da313a8

Target ID:	0
Start time:	13:51:04
Start date:	29/10/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll"
Imagebase:	0x440000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:51:05
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:51:05
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",#1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:51:05
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarCreate
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:51:05
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",#1
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:51:05
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 820
Imagebase:	0xdf0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:51:05
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 832
Imagebase:	0xdf0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:51:08
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarDestroy
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:51:11
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\D3S2SyPdiw.dll,BarFreeRec
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:51:14
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarCreate
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:51:14
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarDestroy
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:51:14
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarFreeRec
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:51:14
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",_cgo_dummy_export
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	13:51:14
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 856
Imagebase:	0xdf0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:51:14
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellSpell
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:51:14
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellInit
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	13:51:14
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SpellFree
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	13:51:14
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",SignalInitializeCrashReporting
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:51:14
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",GetInstallDetailsPayload
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	13:51:15
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\D3S2SyPdiw.dll",BarRecognize
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 6CC0CFC0 Relevance: 1.5, APIs: 1, Instructions: 21
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE ref: 6CC0CFE8

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction ID: dface9ad396d3c72dd14673e25032add400c51586c9fa60628f4e8b0204d07c9
Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction Fuzzy Hash: 3BE0E571505600CFCB15DF18C2C170ABBE1EB48A00F0485A8DE098FB4AE734ED10CB92

Non-executed Functions

Function 6CBB59F0 Relevance: 18.5, Strings: 14, Instructions: 1019
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 6CBB606A
MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=, xrefs: 6CBB699C
ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE, xrefs: 6CBB64EC
., xrefs: 6CBB61FE
gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6CBB6C4A
gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= , xrefs: 6CBB5ABA
failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 6CBB6C34
+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08, xrefs: 6CBB64A4, 6CBB678B
@s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12, xrefs: 6CBB62C7
ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid, xrefs: 6CBB68DC
5, xrefs: 6CBB6C27
gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma, xrefs: 6CBB629A
non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo, xrefs: 6CBB6C1E
MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 6CBB6A06

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: $ @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=$ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid$+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08$.$5$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= $non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo
API String ID: 0-2575422049
Opcode ID: b9dc93b8269737f115081b66f49fefb016dcdafe4159f1fb3502160098d3ec5f
Instruction ID: eef05fcad17fbf04fc2828617ad987f5a931ca181c04cc62d034033b128b0890
Opcode Fuzzy Hash: b9dc93b8269737f115081b66f49fefb016dcdafe4159f1fb3502160098d3ec5f
Instruction Fuzzy Hash: 6FB2F9746097848FD764DF68C19079EBBF5FB8A304F01892ED88997750EB74A848CF92

Function 6CBC93F0 Relevance: 16.9, Strings: 13, Instructions: 643
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar, xrefs: 6CBC9BD7
, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desQuickDogno anodeCancelIoReadFileAcceptExWSA, xrefs: 6CBC9C04
runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard , xrefs: 6CBC9C5B
runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer, xrefs: 6CBC976B
, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc, xrefs: 6CBC9C88
runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6CBC9CE8
, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:, xrefs: 6CBC9D15
runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6CBC967A, 6CBC9AB3
] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt, xrefs: 6CBC9B1A
][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C, xrefs: 6CBC96A4, 6CBC9AED
bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CBC97A2, 6CBC9F68
] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc, xrefs: 6CBC96CD
, [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST, xrefs: 6CBC96F7, 6CBC9721, 6CBC9B44, 6CBC9B6E

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desQuickDogno anodeCancelIoReadFileAcceptExWSA$, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:$, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar$] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt$] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc$][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-1133492836
Opcode ID: fc3d9f5ed78763ee3438d10ef31640ef482da38bee1b9a4b57df8a5bb397983c
Instruction ID: 38617d65ec09707f0156c7861a92ed8d3a5e5d900b7f36763abcb4eb09f70bf1
Opcode Fuzzy Hash: fc3d9f5ed78763ee3438d10ef31640ef482da38bee1b9a4b57df8a5bb397983c
Instruction Fuzzy Hash: F4523675A197848FE320DF68C48079EB7F1FB89308F51892DE99897744DB74A848CB93

Function 6CBD1570 Relevance: 16.4, Strings: 13, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 6CBD16A2
RtlGetCurrentPeb, xrefs: 6CBD1734
NtAssociateWaitCompletionPacket, xrefs: 6CBD1690
ntdll.dll, xrefs: 6CBD1608
ProcessPrng, xrefs: 6CBD15BF
bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible , xrefs: 6CBD1807
NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no , xrefs: 6CBD17C5
RtlGetVersion, xrefs: 6CBD177E
, xrefs: 6CBD169A
bcryptprimitives.dll, xrefs: 6CBD158D
NtCreateWaitCompletionPacket, xrefs: 6CBD163E
NtCancelWaitCompletionPacket, xrefs: 6CBD16E2
P, xrefs: 6CBD17E4

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: $ $NtAssociateWaitCompletionPacket$NtCancelWaitCompletionPacket$NtCreateWaitCompletionPacket$NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no $P$ProcessPrng$RtlGetCurrentPeb$RtlGetVersion$bcryptprimitives.dll$bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible $ntdll.dll
API String ID: 0-2332038095
Opcode ID: 70e9cf950f26585ee721187b9b7a0a5ada864643b0d80f1faca65ef334eedec8
Instruction ID: b639926d22e0ec12e5597a7944a0e11bcf793208b80d287c7d2af33e707596f2
Opcode Fuzzy Hash: 70e9cf950f26585ee721187b9b7a0a5ada864643b0d80f1faca65ef334eedec8
Instruction Fuzzy Hash: C171F6B420A342DFDB44DF29D19469ABBF0FB8A718F05882DE49983750E774E449CF62

Function 6CBC3400 Relevance: 14.6, Strings: 11, Instructions: 876COMMON

Download Yara Rule

Strings

sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket, xrefs: 6CBC3E09
nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo, xrefs: 6CBC3D81
swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6CBC3C65
mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea, xrefs: 6CBC418A
mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CBC3CE2, 6CBC4156
, xrefs: 6CBC3E12
mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 6CBC41A9
sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket, xrefs: 6CBC3CB8, 6CBC412C
mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 6CBC3D16
previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 6CBC3DAB
sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto, xrefs: 6CBC3C4F

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: $ mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo$ previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$ sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-893999930
Opcode ID: deb9c25c5af214910a9bc42a7a74d5ed922b1aa9328bb94b8ea9c63ecef50948
Instruction ID: 8aa005a68847808c53b14ae12c9d5593a2b71f4e64b5d7be5b09a669740d9671
Opcode Fuzzy Hash: deb9c25c5af214910a9bc42a7a74d5ed922b1aa9328bb94b8ea9c63ecef50948
Instruction Fuzzy Hash: F28226B46093908FC750DF29C090AAEBBF1BF89708F44896DE8D887741E7759949CB93

Function 6CBD2A90 Relevance: 14.0, Strings: 11, Instructions: 253COMMON

Download Yara Rule

Strings

runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b, xrefs: 6CBD2F31
runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi, xrefs: 6CBD2EFD
runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr, xrefs: 6CBD2DEC
VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec, xrefs: 6CBD2DC9
NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor, xrefs: 6CBD2E20
CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet, xrefs: 6CBD2E7B, 6CBD2ED6
,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12, xrefs: 6CBD2D29
%, xrefs: 6CBD2F3A
runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte, xrefs: 6CBD2E47, 6CBD2EA2
bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi, xrefs: 6CBD2D6E
runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 6CBD2D95

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: %$,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet$NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte$runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
API String ID: 0-2809656213
Opcode ID: df31a90c477c02e5b975402742ac6238ca15e053324572a429f3e5d6b0bda1ac
Instruction ID: c445e897d467c79f9b23764659a92fc5d924aa4f643e7f84c74c9de86b295e3d
Opcode Fuzzy Hash: df31a90c477c02e5b975402742ac6238ca15e053324572a429f3e5d6b0bda1ac
Instruction Fuzzy Hash: 55C1B1B42097818FD701EF69C19479EBBF4EF89708F01896CE89887740E7B5A949CF52

Function 6CBA13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6CBA13F0
LoadLibraryA.KERNEL32 ref: 6CBA1406
GetProcAddress.KERNEL32 ref: 6CBA1425
GetProcAddress.KERNEL32 ref: 6CBA1437

Strings

__deregister_frame_info, xrefs: 6CBA142C
__register_frame_info, xrefs: 6CBA141A
libgcc_s_dw2-1.dll, xrefs: 6CBA13E9, 6CBA13FF

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: eb36db2b2b81818ce6cd2b14454c1be8d9f2fe07d6e731391cc4b2f74d83476b
Instruction ID: 7c947803107b9f7403b832247962ab4e3f0cd3b44e52850681326cf426099d71
Opcode Fuzzy Hash: eb36db2b2b81818ce6cd2b14454c1be8d9f2fe07d6e731391cc4b2f74d83476b
Instruction Fuzzy Hash: 83011EB2909240DFD740BFB8A50631EBEB4EB46295F05852DD98987A10EA30C4169BA3

Function 6CC0344F Relevance: 12.0, Strings: 9, Instructions: 757COMMON

Download Yara Rule

Strings

2, xrefs: 6CC03E70
p, xrefs: 6CC03E7E
malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty, xrefs: 6CC03E3B
!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 6CC0381F
3-, xrefs: 6CC03E78
4, xrefs: 6CC03E2E
mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential, xrefs: 6CC03E67
mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 6CC03E25
malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo, xrefs: 6CC03E51

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$2$4$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo$malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $3-$p
API String ID: 0-234616912
Opcode ID: 1658d2e2e84c117f88c0a79be78057e880ce55e990c08896b6860e5543cdc572
Instruction ID: 3bf5f186b9126339fa0fd80b6380d691256011a92fb5b1f2fdc1b010dd57dde2
Opcode Fuzzy Hash: 1658d2e2e84c117f88c0a79be78057e880ce55e990c08896b6860e5543cdc572
Instruction Fuzzy Hash: 1962B1747083458FC314CF2AC090A6ABBF1BF89718F18896DE9A48B791E736D945CF42

Function 6CC1D010 Relevance: 10.8, Strings: 8, Instructions: 756COMMON

Download Yara Rule

Strings

invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa, xrefs: 6CC1D783
$, xrefs: 6CC1D78D
invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p, xrefs: 6CC1D095, 6CC1D188, 6CC1D258, 6CC1D814, 6CC1D936, 6CC1D9C7, 6CC1DA58, 6CC1DAED
v, xrefs: 6CC1D145
!, xrefs: 6CC1D20C
pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps, xrefs: 6CC1D8A5
n, xrefs: 6CC1D2D1
y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KS, xrefs: 6CC1D2E5

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: !$$$invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa$invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p$n$pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps$v$y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KS
API String ID: 0-3686076665
Opcode ID: f58232b5a60fb464183fcf63e02bd445e053bbb82d78ceb093413a9b951e0cde
Instruction ID: 77685cf7182915b4d9144f32fbc0ccbedbef87b19974bb3ee02026f1a432d750
Opcode Fuzzy Hash: f58232b5a60fb464183fcf63e02bd445e053bbb82d78ceb093413a9b951e0cde
Instruction Fuzzy Hash: 87723BB4A0C3458FC715DF29C08069AFBF1BB89704F548A2DE99887B41EB74D948DF92

Function 6CC22680 Relevance: 10.5, Strings: 7, Instructions: 1779COMMON

Download Yara Rule

Strings

%!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWtiritasseisbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernameg, xrefs: 6CC23CEA, 6CC23FB5
0, xrefs: 6CC231D1
%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutinecopystac, xrefs: 6CC240F9, 6CC243DB
0, xrefs: 6CC23387
)]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+, xrefs: 6CC23D04, 6CC23FCF, 6CC24113, 6CC243F5
0, xrefs: 6CC23270
0, xrefs: 6CC23464

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: %!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutinecopystac$%!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWtiritasseisbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernameg$)]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+$0$0$0$0
API String ID: 0-2451174967
Opcode ID: fde3037a8f8a642f2f6a13f2273d86f9c8fd675d1682c9c4cd2b4a37ea5b724d
Instruction ID: 82e68cb9d0ca12da0f032bac55b3e523c4f7bd32e4a321f4d8c841de7977e41c
Opcode Fuzzy Hash: fde3037a8f8a642f2f6a13f2273d86f9c8fd675d1682c9c4cd2b4a37ea5b724d
Instruction Fuzzy Hash: E3030678A093818FC328DF19C09069EF7E1BFC8314F14892EE99997751E774A949CB93

Function 6CBF5FF0 Relevance: 10.5, Strings: 8, Instructions: 512COMMON

Download Yara Rule

Strings

(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID, xrefs: 6CBF6440
, xrefs: 6CBF6151
fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit, xrefs: 6CBF6659
sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us, xrefs: 6CBF6686
pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace, xrefs: 6CBF66B3
:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I, xrefs: 6CBF651D
non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard , xrefs: 6CBF67E5
, xrefs: 6CBF6159

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: $ $ fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit$ pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace$ sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us$(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID$:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I$non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard
API String ID: 0-3830612415
Opcode ID: 430573493467e4693a738011e4f84984ff13f2695b7d7e14023746c671b4dc4e
Instruction ID: 2480b4da279f0b18ba531ddf8cb4bfcac66334a8d47761dae45209371fd40941
Opcode Fuzzy Hash: 430573493467e4693a738011e4f84984ff13f2695b7d7e14023746c671b4dc4e
Instruction Fuzzy Hash: 8E32D0746093818FC364DF69C180B9FBBF1AF89308F458D2EE8D897755DB34A8498B52

Function 6CBD1A70 Relevance: 8.9, Strings: 7, Instructions: 116COMMON

Download Yara Rule

Strings

runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co, xrefs: 6CBD1C34
timeEndPeriod, xrefs: 6CBD1B73
&, xrefs: 6CBD1C3D
winmm.dll, xrefs: 6CBD1AF3
runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta, xrefs: 6CBD1BD9
timeBeginPeriod, xrefs: 6CBD1B29
timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 6CBD1C0D

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: &$runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta$runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co$timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$timeBeginPeriod$timeEndPeriod$winmm.dll
API String ID: 0-424793872
Opcode ID: 046c19d48763674f48cb83e269bf96b3eacfbd0cee1a23d7853b442628084e7f
Instruction ID: 211378c40f8d0ce7c9eea50b32bc8dbc18f201ee0cab5baa62b495115ecf1385
Opcode Fuzzy Hash: 046c19d48763674f48cb83e269bf96b3eacfbd0cee1a23d7853b442628084e7f
Instruction Fuzzy Hash: CA51D2B06093419FD704EF69D19479EBBF0BB8A308F05882DE49987B40EB75E449CF62

Function 6CBDCF90 Relevance: 8.6, Strings: 6, Instructions: 1093COMMON

Download Yara Rule

Strings

findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a, xrefs: 6CBDE0A9
global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz, xrefs: 6CBDE093
findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of r, xrefs: 6CBDE0D5
findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina, xrefs: 6CBDE0BF
!, xrefs: 6CBDE0DE
findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi, xrefs: 6CBDE0EB

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: !$findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz
API String ID: 0-3082151594
Opcode ID: 326aff7b9193b846e9ab314e34a164c273b527bfb9ffd11ebe9f028dd75a7452
Instruction ID: f5003812a80ee608b11206a4343c1bf04edbd532c119b6b8bbbc26cda28e52b2
Opcode Fuzzy Hash: 326aff7b9193b846e9ab314e34a164c273b527bfb9ffd11ebe9f028dd75a7452
Instruction Fuzzy Hash: 81A2D1746093819FD754DF69D090B9EBBF0AF8A748F01892DE8D887740EB35A848CF52

Function 6CBD11F0 Relevance: 7.6, Strings: 6, Instructions: 133COMMON

Download Yara Rule

Strings

d, xrefs: 6CBD1276
runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe, xrefs: 6CBD13C4
runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy, xrefs: 6CBD139D, 6CBD13F8, 6CBD144B
5, xrefs: 6CBD1420
runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar, xrefs: 6CBD1369
runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not , xrefs: 6CBD1417

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: 5$d$runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar$runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not $runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe$runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy
API String ID: 0-2414937731
Opcode ID: 783202ffd88f4848f3173685a180ac17ec1cda7e4b3cdd5a5ec370f43d85c8ec
Instruction ID: b94aaa9e54e833571169cfe3839ccbe74ea140ce7aeaafb8cd6da7f81f22ac18
Opcode Fuzzy Hash: 783202ffd88f4848f3173685a180ac17ec1cda7e4b3cdd5a5ec370f43d85c8ec
Instruction Fuzzy Hash: EA51CCB46083809FD740EF69C1947AEBBF4AF88708F41886DE88887750D775A948CF63

Function 6CBC1440 Relevance: 5.5, Strings: 4, Instructions: 494COMMON

Download Yara Rule

Strings

min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW, xrefs: 6CBC19C0
!, xrefs: 6CBC1A18
min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce, xrefs: 6CBC1A0F
runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti, xrefs: 6CBC198C, 6CBC19DB

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: !$min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce$min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW$runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti
API String ID: 0-967014423
Opcode ID: e84a6b3445e087db2248d67063326bec3fb0ea3abca5a80da4af4354b8ce6835
Instruction ID: dd4c6e6133cd60091bb3ab805eb5e3a689e9920f030b89290a502eb381d2963e
Opcode Fuzzy Hash: e84a6b3445e087db2248d67063326bec3fb0ea3abca5a80da4af4354b8ce6835
Instruction Fuzzy Hash: E8F1E1727093658FD305DE99C4C065EB7E2EBC4308F198A3DD895AB784EB75E809C683

Function 6CBDA320 Relevance: 5.4, Strings: 4, Instructions: 352COMMON

Download Yara Rule

Strings

stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a , xrefs: 6CBDA843
stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many, xrefs: 6CBDA7B0
stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl, xrefs: 6CBDA690
stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met, xrefs: 6CBDA7EB

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met$stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a $stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many$stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl
API String ID: 0-2039697367
Opcode ID: 011c83386282ea02d083969101a56c6dd31ec611290102de98ab75da1d86f1b6
Instruction ID: ff7a912bd596fc3a3907e936e6b63f5f410058d8b3b60bb77a67ce4ad9657d5f
Opcode Fuzzy Hash: 011c83386282ea02d083969101a56c6dd31ec611290102de98ab75da1d86f1b6
Instruction Fuzzy Hash: EEF1E074A093808FC348CF69C190A5AFBF1FB89708F15896DE99887751DB71E949CF82

Function 6CC37B10 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

@, xrefs: 6CC37CC9
gfff, xrefs: 6CC37C1C
gfff, xrefs: 6CC37C33
., xrefs: 6CC37E04

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: f0363026120d56c9b886e76e2e792ec3b8d9b3fd04d4c85219d655f511123e7c
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: A8D1C171A08325CBD700DE29D68034BB7E2BF85348F18D96DE89C8BB45F770D9499B92

Function 6CBD1830 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

powrprof.dll, xrefs: 6CBD184D
', xrefs: 6CBD1891
', xrefs: 6CBD1889
PowerRegisterSuspendResumeNotification, xrefs: 6CBD187F

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: '$'$PowerRegisterSuspendResumeNotification$powrprof.dll
API String ID: 0-4026319467
Opcode ID: f3df7e2c9fad917b876fac9d9301cea7abd05cdb126bb3f2091afebdc31046b8
Instruction ID: 99cf772b771adcb6e208df9aef95ca2b8ac8544d37b59b52ee4c1911ec000f58
Opcode Fuzzy Hash: f3df7e2c9fad917b876fac9d9301cea7abd05cdb126bb3f2091afebdc31046b8
Instruction Fuzzy Hash: 4B21E3B4A083419FD704CF25C08465ABBF0BB89318F45891DE48987740E775E689CF93

Function 6CBE6470 Relevance: 4.2, Strings: 3, Instructions: 451COMMON

Download Yara Rule

Strings

<, xrefs: 6CBE6A0D
runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add, xrefs: 6CBE69D7
runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern, xrefs: 6CBE6A04

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: <$runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add$runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern
API String ID: 0-450027851
Opcode ID: fa83476caa8249eacb08161c97538620e6c739b49cf3430e27c9e15c7c0141b2
Instruction ID: 44f076789db9a168e872ff2e94086aaf998da884a12c05fb424f2d2c7f603dc3
Opcode Fuzzy Hash: fa83476caa8249eacb08161c97538620e6c739b49cf3430e27c9e15c7c0141b2
Instruction Fuzzy Hash: BB025D70A087498FC714DF69C19065EBBE1FFC8748F14892DEA9887B50EB71E845CB82

Function 6CBD6010 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro, xrefs: 6CBD648D
suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support, xrefs: 6CBD64A3
', xrefs: 6CBD64AC

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: '$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support
API String ID: 0-3278438963
Opcode ID: b186eb37e40b0e9f97806596c7894aaa0c37029619b5f544f4ff42db12aeb64c
Instruction ID: 47e4d3a99702ae9308e77c7ef9446d1ee99a3cea2c3bb878be0d595a709ead7e
Opcode Fuzzy Hash: b186eb37e40b0e9f97806596c7894aaa0c37029619b5f544f4ff42db12aeb64c
Instruction Fuzzy Hash: 2ED10FB460D3808BC704CF2AC090A5ABBF1AF8A718F464C6DE8D587B51D735E944DB92

Function 6CBC6630 Relevance: 3.0, Strings: 2, Instructions: 499COMMON

Download Yara Rule

Strings

+, xrefs: 6CBC6D57
grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 6CBC6D4E

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: +$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
API String ID: 0-3347251187
Opcode ID: 9df2df48f77e1049940b83702cca0ff2e0d5c9f8f7a04af693efa1296c5043d8
Instruction ID: 1b44649634aaaa3fd6a9432f531dc13a65b51cdf2a783e7a9f8f6077433aadf5
Opcode Fuzzy Hash: 9df2df48f77e1049940b83702cca0ff2e0d5c9f8f7a04af693efa1296c5043d8
Instruction Fuzzy Hash: 8E22DB7460D3818FD354DF69C090A6EBBF1AF89744F14892DE9D887760EB35E8888B43

Function 6CBCB2D0 Relevance: 2.8, Strings: 2, Instructions: 264COMMON

Download Yara Rule

Strings

@, xrefs: 6CBCB4FB
bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CBCB60F

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: @$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
API String ID: 0-1191861649
Opcode ID: 932ebde2ccf2021cc13e23da014cac3626b99d89e2aad53f895ec787291b43fd
Instruction ID: 4692cde473842998b54f154ef47d404c203f4b3199e585eb325f46d5cb12508e
Opcode Fuzzy Hash: 932ebde2ccf2021cc13e23da014cac3626b99d89e2aad53f895ec787291b43fd
Instruction Fuzzy Hash: 83A1A0756087198FD704DF18C88055EB7E1FFC8318F448A2DE9999B741EB34E95ACB82

Function 6CC0A992 Relevance: 2.6, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

, xrefs: 6CC0A9B8
@, xrefs: 6CC0A9BD

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 6400b40bef47c8b1326ceb1d2aca95ca482bb01b8a0d7c5ae0e58865a5a060b0
Instruction ID: a24bb0b2b1b8d53c1116f762b8a27f79f72402bb5accd4655815468ee97dba17
Opcode Fuzzy Hash: 6400b40bef47c8b1326ceb1d2aca95ca482bb01b8a0d7c5ae0e58865a5a060b0
Instruction Fuzzy Hash: 59518714D0CF5B65E6330ABEC4026667B206EB3144B01D76FFDD6B58B2EB136940BE22

Function 6CBBCEC0 Relevance: 2.6, Strings: 2, Instructions: 88COMMON

Download Yara Rule

Strings

,, xrefs: 6CBBCFAA
gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu, xrefs: 6CBBCFA1

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu
API String ID: 0-27675022
Opcode ID: b74e6a163fe096dcb48911ab91a0330f5761108e22c7f00b5998fddb6b7eb164
Instruction ID: 4ca1736d36fec6c70c800b51b9e43fa0d00b931d40e0e18535f78ba98aabf0e5
Opcode Fuzzy Hash: b74e6a163fe096dcb48911ab91a0330f5761108e22c7f00b5998fddb6b7eb164
Instruction Fuzzy Hash: 2D3181757093968FD305DF14C490A69B7F1BB86608F0881BDDC885F383DB31A84ACB85

Function 6CC25AF0 Relevance: 1.9, Strings: 1, Instructions: 607COMMON

Download Yara Rule

Strings

,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePoint, xrefs: 6CC25C8E

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: ,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePoint
API String ID: 0-1364986362
Opcode ID: 065ad093db40acf3235e777fac6366dc590826b75a7c406c25da4ae5e697caa5
Instruction ID: 4ac5fdfa7494b9211ebbc268605b1dd6c090bb8dd4146162cb389ce937265e50
Opcode Fuzzy Hash: 065ad093db40acf3235e777fac6366dc590826b75a7c406c25da4ae5e697caa5
Instruction Fuzzy Hash: A95206B5A083858FD334CF19C5907CBFBE1ABC5308F44892DD9D89B391E7B599488B92

Function 6CBF8690 Relevance: 1.8, Strings: 1, Instructions: 543COMMON

Download Yara Rule

Strings

4, xrefs: 6CBF89FB

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: a4a2e0c6b0f64d6de700177ea8a94f0b8fcb0c68258f24b81c6f0561f4751a07
Instruction ID: f9a4f46421b659300524ce24a30ed80ca65cd317640a430888ec2badaeef56d3
Opcode Fuzzy Hash: a4a2e0c6b0f64d6de700177ea8a94f0b8fcb0c68258f24b81c6f0561f4751a07
Instruction Fuzzy Hash: 6522C57560D3858FC734DE59C4C466EB7E1EFC6304F14862ED9A98BB51D732A80ACB82

Function 6CBB0AF0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor, xrefs: 6CBB0D52

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor
API String ID: 0-1712010102
Opcode ID: 7fcf5847297d53f194c3a2e14ffa2cc89bddbf14d61faae883d2754e66e620bf
Instruction ID: 8d1412ea6476994a600124fc841d3cd28fb5d375ceb8ec60c199b2e979524968
Opcode Fuzzy Hash: 7fcf5847297d53f194c3a2e14ffa2cc89bddbf14d61faae883d2754e66e620bf
Instruction Fuzzy Hash: 4DD122B46093859FC744DF28D19066EBBF0BF89708F00892EE8D997740EB35E949CB52

Function 6CBCD040 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin, xrefs: 6CBCD3CB

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin
API String ID: 0-429552053
Opcode ID: 60cd77b213c143d972e73e90e07437fbd9899e8460b08eb0784c9b23a132ed38
Instruction ID: d19fba3eb08e41436ab0a91dd8a56287897588fdbaff1438e824596e7f2c9621
Opcode Fuzzy Hash: 60cd77b213c143d972e73e90e07437fbd9899e8460b08eb0784c9b23a132ed38
Instruction Fuzzy Hash: 81B113786493859FC744DF68D08086AB7F1FB8A348F55492DE8948BB10E730E94ACF93

Function 6CC296C0 Relevance: 1.5, Strings: 1, Instructions: 278COMMON

Download Yara Rule

Strings

;, xrefs: 6CC299AA

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: bc01df539034040941663e8bccdd76b3de91aa26bfd8cef75e98a80ecad508bc
Instruction ID: b00b48b835487c44a46d4453eb5c00eb7ab20f1bf9fdddd366ab7d1b8cd14aff
Opcode Fuzzy Hash: bc01df539034040941663e8bccdd76b3de91aa26bfd8cef75e98a80ecad508bc
Instruction Fuzzy Hash: 5AA16371B083054FD70CDE5DD95131ABAE2ABC9304F05CA3DE58DCB7A4E638D9098B86

Function 6CBCA360 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

@, xrefs: 6CBCA588

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 7e69109e4f0ba8c9a89141fce1a48448c419e392d12ee80780a8f93659d40cc0
Instruction ID: 761c1bb1c5c7022658b049f05d9abf095452e110f292e96c2febf8094ee59305
Opcode Fuzzy Hash: 7e69109e4f0ba8c9a89141fce1a48448c419e392d12ee80780a8f93659d40cc0
Instruction Fuzzy Hash: 1691FFB5A093459FC344DF28C08065EBBE1FF88748F449A2EE89997741E735D989CF82

Function 6CC1E860 Relevance: .9, Instructions: 941COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31c20a3676cbcbfae72535a2d404c0eabc15745ce1e86f25f1d0b0f24354399d
Instruction ID: 27127d6c5532f5d70c26c7389b54c99e1abd90082e4377c1e6ca7dea74cb736e
Opcode Fuzzy Hash: 31c20a3676cbcbfae72535a2d404c0eabc15745ce1e86f25f1d0b0f24354399d
Instruction Fuzzy Hash: 00825B75A083548BC728DE1EC49069AF7F2BBCD304F59892ED59DD3B50EB70A905CB82

Function 6CC26D40 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2376301c3449da0090e42d6b193fe39eddefd362c447292b90f365b2a4bf929
Instruction ID: 6ceb207c5052550694cb21f7bafdb2a1142cf079a2aaa1281350f476932eb6a3
Opcode Fuzzy Hash: b2376301c3449da0090e42d6b193fe39eddefd362c447292b90f365b2a4bf929
Instruction Fuzzy Hash: 6D227D75A0C7458FD724CE69C4D035BF7E2BF85304F54882DE9898BB41FB79A8099B82

Function 6CC24E40 Relevance: .5, Instructions: 530COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92f6ca2a687a5f4d2fe0d282606c6d10465e9bcd558d0168dec061d3efb8465
Instruction ID: e500f6e3583afc623dfca51de19dd3c72825e1a862be238cf31ad929290e5a36
Opcode Fuzzy Hash: d92f6ca2a687a5f4d2fe0d282606c6d10465e9bcd558d0168dec061d3efb8465
Instruction Fuzzy Hash: 3E12A972A087098FC324DE5DC98124AF7E6BBC4304F55CA3DD9588B755EB74E9098B82

Function 6CBCC080 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec60899f6da3d5e34edf31f99a89d2c9077f978ef8b3c71ccb7b462457e12233
Instruction ID: 4ab541fff6ee7aa24f55b30dc59aafb95cf106db80d3f8d7991c4d6e3bba0b1b
Opcode Fuzzy Hash: ec60899f6da3d5e34edf31f99a89d2c9077f978ef8b3c71ccb7b462457e12233
Instruction Fuzzy Hash: 40E1F233B497594BD319EDAD88C025EB2D2ABC8344F19873CDD649B780FA75DD0A86C2

Function 6CBFBD40 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d19175554855d4e7321d23783a4b5ecd1de4740ee79f028b53d7891bc9e8dee2
Instruction ID: bccf7fc4392bdaa786fdf1fe9b87f65421217f988f50f94779ba15489aabd77e
Opcode Fuzzy Hash: d19175554855d4e7321d23783a4b5ecd1de4740ee79f028b53d7891bc9e8dee2
Instruction Fuzzy Hash: D80285356083468FD324DF68C48066EF7E1FF85348F54892DE9A58BB41D731E94ACB92

Function 6CBCBB10 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3621ce50e29acd488cc72666ffadb125625f37a1a0d6f36bbe4addd537c6078b
Instruction ID: 512d3c1d6c16f8e8ffcd9e9d09735b30c3414abb20eb8449536418ceecab7adb
Opcode Fuzzy Hash: 3621ce50e29acd488cc72666ffadb125625f37a1a0d6f36bbe4addd537c6078b
Instruction Fuzzy Hash: CEE1B333F2472507D3149E58CC80249B6D2ABC8670F4EC72DED959B781EAB4ED5987C2

Function 6CC26860 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5448653c55e7ad3b4e8066a66e6fd9985967198d09e6c00a61530e0e4b7e531a
Instruction ID: 01366b4bf16d018fbdb816494c565d7f383df564ffb53a6285383f573059f136
Opcode Fuzzy Hash: 5448653c55e7ad3b4e8066a66e6fd9985967198d09e6c00a61530e0e4b7e531a
Instruction Fuzzy Hash: 99E1C172A4DB658BC305CF2AC45021EFBE2BBC5704F45896DE891CB740E779D909CBA2

Function 6CBB80A0 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2436f37123da3b6defca27925d84aeff2bb1f9ff6ddfdbcd5da6569a2447b2b0
Instruction ID: 2608c6fe34cdcff5f0914790b7a2627845aeebf9666125da3936dee412fe3924
Opcode Fuzzy Hash: 2436f37123da3b6defca27925d84aeff2bb1f9ff6ddfdbcd5da6569a2447b2b0
Instruction Fuzzy Hash: 5AC1E532B493164FC708DE6DC89061EF7D2ABC8304F49463DE8599B7A5EBB5EC058782

Function 6CBFD800 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a828119fe6749c396e51231cf552996a898ea7ef6db31b2f6a329cbbce6062d9
Instruction ID: 3751d2a442b3d7083f1f05f6f2c53563687ee27b559bfa33a2f1f91bbc5f017a
Opcode Fuzzy Hash: a828119fe6749c396e51231cf552996a898ea7ef6db31b2f6a329cbbce6062d9
Instruction Fuzzy Hash: 12E1D73160D3968FC315DF68C4D056EFBE1AF8A204F044A7DE9958BB92D730D90ACB92

Function 6CBDE240 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91524c4c657717c19023e24cb3956bd6c027178f4dbddf5efce86cdd94550d82
Instruction ID: cb478117755d7ed87bf68e350b04ce825730e7e7dcb7c7fd3865894864721ecc
Opcode Fuzzy Hash: 91524c4c657717c19023e24cb3956bd6c027178f4dbddf5efce86cdd94550d82
Instruction Fuzzy Hash: 15F1CF7460D3918FC364CF29C090B5EBBE2BBCA704F55892EE9D887751DB31A845CB92

Function 6CBCC6D0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ddad08b024638680ec7457511f8f5343845865182ee38f6cfdcce69bb7b543
Instruction ID: 06be0321d71d7c701d5549af205fdb26d7d63421620c2a97d3123ecb41512bc3
Opcode Fuzzy Hash: e2ddad08b024638680ec7457511f8f5343845865182ee38f6cfdcce69bb7b543
Instruction Fuzzy Hash: 6B9145327097554FC319EE99C4D051EB3E2FBC8348F58873CD9AA4B780EB7699098683

Function 6CBCCA30 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee1aa2fc6e74737fc6b1854adca51396fdd879a43735b1de333d14980a6fb627
Instruction ID: abbd3c0246dbddbfdd8a9bf527ac4000db17c568d7e0fe820854e7e22012a426
Opcode Fuzzy Hash: ee1aa2fc6e74737fc6b1854adca51396fdd879a43735b1de333d14980a6fb627
Instruction Fuzzy Hash: 12812236B497790FD311EEA988D025E3292EBC4358F19473CD9748BBC5EBB1990682C2

Function 6CBCAD50 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbfa56e0e1923bdd9f11ef9f1972497547ffc101d49d85c2dad3eacc6138a49e
Instruction ID: 7f6b66235d4b9d2d6c5c1e9422058d195d00b78061d359af3629e28a285dc3c4
Opcode Fuzzy Hash: fbfa56e0e1923bdd9f11ef9f1972497547ffc101d49d85c2dad3eacc6138a49e
Instruction Fuzzy Hash: 8D91B776B187194BD304DE59CCC0259B3D2BBC8724F49C63CE8A89B745E674EE49CB82

Function 6CBA32A0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d138d354ee38eb84039718e6ebe8383b11a3a707cbe5b081f35cd2ba8a0928cb
Instruction ID: 141771d72f4281d5751fd583ac123f9a20b7fb27d277401c4c5c3da1511b54f8
Opcode Fuzzy Hash: d138d354ee38eb84039718e6ebe8383b11a3a707cbe5b081f35cd2ba8a0928cb
Instruction Fuzzy Hash: 0D81F7B2A183508FC314DF29D88095AF7E2BFC8748F46892DF988D7711E771E9158B86

Function 6CBC9030 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07172026fd2f8a6d54e86a4025ee7052f28d52a22df54f5c30bc60cd65ad31cc
Instruction ID: 06b03fdf3e8e432dc9c243bdaf4ad959a6501bb85c574bb6bf4cf07221d2e121
Opcode Fuzzy Hash: 07172026fd2f8a6d54e86a4025ee7052f28d52a22df54f5c30bc60cd65ad31cc
Instruction Fuzzy Hash: 8291ACB4A093459FC308DF28C090A5ABBF1FF89748F508A6EE89997751D730E945CF46

Function 6CBA2CA6 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74e3cdcd30a4e377c87d22d140c510c8f9e31ee98ac193ba90d7c9e73e1ccf2
Instruction ID: 98cd1c23419d459fda0941fff998e2de6228d27e71e5feafe237baef396f9558
Opcode Fuzzy Hash: a74e3cdcd30a4e377c87d22d140c510c8f9e31ee98ac193ba90d7c9e73e1ccf2
Instruction Fuzzy Hash: 9151777090C3A44AE3158FAF48D402EFFE1AFC6301F844A6EF5E443392D5B89515DB6A

Function 6CBA2CA0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90476cbaf935014c159576f0b1ffece01f8135deaaa1efb8f424032940e62b12
Instruction ID: f1346b59d21a35ebf3f9a55fa3d857ab5a4679a32f1d4f3c7dafdfc495b3263a
Opcode Fuzzy Hash: 90476cbaf935014c159576f0b1ffece01f8135deaaa1efb8f424032940e62b12
Instruction Fuzzy Hash: 4C51567090C3A44AE3158F6F48D402AFFF1AFC6301F884A6EF5E443392D5B89515DBAA

Function 6CBCD9C5 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc33f7bded6d5c9d43b6b31c114bc0eb8c1cf2946cdcec51adc44675b0614bf9
Instruction ID: 146a78852645d0088f878a173f545c7c9d5def58ecdc7f2f78e94a643a15cf7a
Opcode Fuzzy Hash: dc33f7bded6d5c9d43b6b31c114bc0eb8c1cf2946cdcec51adc44675b0614bf9
Instruction Fuzzy Hash: AE5159757493229FC318DF69C490A1AB7E0FB88604F05867CE9599B392D731E846CBC2

Function 6CBABE90 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2a637c8c4a871ece6c459ccdd4786d6a396f0faa3bfe192aeb4b51b1a4a16b
Instruction ID: 1df9dad7c5de8850119fb3076c7ebc0e38e2a01f77deda9bffe43a32a76e4b02
Opcode Fuzzy Hash: ca2a637c8c4a871ece6c459ccdd4786d6a396f0faa3bfe192aeb4b51b1a4a16b
Instruction Fuzzy Hash: E541E471A08F444FC306DE79C49021AB3E5FFC6384F44872EE99A6B751EB318846CB42

Function 6CBAFBC0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbb1b90556f687b997fbc4001a648fb9ab880036047cb7a768f5d39b3d055ec3
Instruction ID: 4a3289dcaea018e8facb1531cf64581dc3bdcf8a195d5dab9feaf03f1ba9bd8e
Opcode Fuzzy Hash: fbb1b90556f687b997fbc4001a648fb9ab880036047cb7a768f5d39b3d055ec3
Instruction Fuzzy Hash: 533143B391975D8BD300AF498C40149F7E2AFD0B20F5E8A5ED99417701EBB0AA15CBC7

Function 6CBA90F0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 363603b338ed3db86de6933acbffb220ea8fc93dbd5690f54a1f80d724d261f8
Instruction ID: b3c4169b71c6c2fc54816495fef7325b4990185921f77275eee62cfab5a839c9
Opcode Fuzzy Hash: 363603b338ed3db86de6933acbffb220ea8fc93dbd5690f54a1f80d724d261f8
Instruction Fuzzy Hash: 4521C231B482518BDB08CE7DC8E0126B7F3EBCA710B49856CD58587BA4DA35A80AC756

Function 6CBD1C90 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3425632c48c628bb390d043f6281f5782e515c6323cb71d4a9f9d8b2d250efd0
Instruction ID: 9499fcd6384a4909e3a225800bb5888f02e88598185ca25704a55d1815ec6fb9
Opcode Fuzzy Hash: 3425632c48c628bb390d043f6281f5782e515c6323cb71d4a9f9d8b2d250efd0
Instruction Fuzzy Hash: 17119A747093818FD704CF24D0A06A9BBB1EF8A318F09489CD48A4BB91D77AA849CB52

Function 6CC073A0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0248ed97d837026d53d747f5f61a766f77147fb3e0e379a32e0993f00caddd20
Instruction ID: fa7b147c802a805c124a580fbf00b31e0548a04e12112f5a72bd4f3c2af46e55
Opcode Fuzzy Hash: 0248ed97d837026d53d747f5f61a766f77147fb3e0e379a32e0993f00caddd20
Instruction Fuzzy Hash: 9911DBB4704B118FD398DF59C0D4A65B3E1FB8C200B4A81FDDB0A8B766C670A855DB95

Function 6CC0C1E0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 757fd8d19acb1a9c2511f712aa08bdab3dc7bc6c8899d10c0e8b13bee56c44a7
Instruction ID: c71fcfb615ac7bc02c31c4d9bc777299f931461542f01040c80fba166b0c50e8
Opcode Fuzzy Hash: 757fd8d19acb1a9c2511f712aa08bdab3dc7bc6c8899d10c0e8b13bee56c44a7
Instruction Fuzzy Hash: DBC04CB0A1A3615DF750DB1D8140346BEE59B86344F84C49DA248C2546D37686805667

Function 6CC3B7C0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 6CC3B7EF
vfprintf.MSVCRT ref: 6CC3B80F
abort.MSVCRT ref: 6CC3B814
VirtualQuery.KERNEL32 ref: 6CC3B8AB

Strings

VirtualProtect failed with code 0x%x, xrefs: 6CC3B926
VirtualQuery failed for %d bytes at address %p, xrefs: 6CC3B957
Address %p has no image-section, xrefs: 6CC3B96B
Mingw-w64 runtime failure:, xrefs: 6CC3B7E8

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: cd9ca9acd5da9d704d1f04ee3ad627f1338a0a6aa15024602a398ced1c44dea7
Instruction ID: 3dce9dd05035d69e163ae9942590129ddfd1fc7609e7ee7d9399b660d81bbf04
Opcode Fuzzy Hash: cd9ca9acd5da9d704d1f04ee3ad627f1338a0a6aa15024602a398ced1c44dea7
Instruction Fuzzy Hash: F65180719047209FDB00EF28E48564AFBF4FF85318F45991DE98C8BB10E734E4498B92

Function 6CC3B980 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Unknown pseudo relocation bit size %d., xrefs: 6CC3BAED
Unknown pseudo relocation protocol version %d., xrefs: 6CC3BC73
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6CC3BAA0

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 1a8aa11245e1f64cbb238d16f791127c6ae5928e04d1763bde3f26ed4138ea19
Instruction ID: 52d7f6d411ca54b7bd623c538db27d96f6008a89fc2cb3314a5d2d9b3b900775
Opcode Fuzzy Hash: 1a8aa11245e1f64cbb238d16f791127c6ae5928e04d1763bde3f26ed4138ea19
Instruction Fuzzy Hash: 3A91F671E04A299FCB10DF59E49168EBBB4FF85344F049529D949A7B04F730E846CBD2

Function 6CC368E0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6CC369B1

Strings

0, xrefs: 6CC36E2E
o, xrefs: 6CC36D98

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: ebefbe6945bd7e9b28a0da70524577bbcc1c22ea509cf173d45d016b6e072430
Instruction ID: 7c3c04ea350cd24ad9fd84ef89416e8262381c9a43360cf675de3dbd85ce0948
Opcode Fuzzy Hash: ebefbe6945bd7e9b28a0da70524577bbcc1c22ea509cf173d45d016b6e072430
Instruction Fuzzy Hash: 96F19371A04A248FCB01CF69D4806CDBBF2BF89364F199269D898EB751E734E945CF90

Function 6CC38050 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 6CC38068

Strings

@, xrefs: 6CC38337
NaN, xrefs: 6CC38A2B
Inf, xrefs: 6CC38B25, 6CC38B3D

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 535c2799c85b85976ca58ba4507f7122ca406d70e85f8700473b3c4cf2515e95
Instruction ID: b1a2a589ad443c97cd93d607afeb3127f543ece95f06845e79d67f95b2977074
Opcode Fuzzy Hash: 535c2799c85b85976ca58ba4507f7122ca406d70e85f8700473b3c4cf2515e95
Instruction Fuzzy Hash: C4F1C27160C3A18BD7208F25E450B9BBBE1BB86318F149A1FD9DCD7781E735950ACB82

Function 6CC36E50 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

0, xrefs: 6CC371B6
@, xrefs: 6CC3711A

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: db53b3412e21b14b64fd966cdfaba44a868fe3b057c10bed8708d4ee68713ec0
Instruction ID: 20262873663e2f5c7a0d0a87c49be8753137925b287d57e9b70279a040a343f5
Opcode Fuzzy Hash: db53b3412e21b14b64fd966cdfaba44a868fe3b057c10bed8708d4ee68713ec0
Instruction Fuzzy Hash: 80C1AF72E04625CBCB04CF68E98078DBBF1BF89314F149219D858EB785E339E806DB90

Function 6CC3CD90 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6CC3CD9C
GetProcAddress.KERNEL32 ref: 6CC3CDBC
GetProcAddress.KERNEL32 ref: 6CC3CDFB

Strings

___lc_codepage_func, xrefs: 6CC3CDB4
msvcrt.dll, xrefs: 6CC3CD95
__lc_codepage, xrefs: 6CC3CDF0

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: 19ceffde08c17952243b34ec78a07fb3fc095492701108d00c267fd1af82f17e
Instruction ID: cb735bdfedebe7e52fb45b919c31c8bedc950c64f4ff12e11aa903a7ea28d406
Opcode Fuzzy Hash: 19ceffde08c17952243b34ec78a07fb3fc095492701108d00c267fd1af82f17e
Instruction Fuzzy Hash: C0F09CB19462304F9B01BF3C690725E7EF4BA49254F15467EE889C7654F634D440CB92

Function 6CBA1020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6CBA1281,?,?,?,?,?,?,6CBA13AE), ref: 6CBA1057
_amsg_exit.MSVCRT ref: 6CBA1086

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 7c88cfab9602263a2b1fcdefb9c47005508133c5c8c056cdfef627cce467250b
Instruction ID: 99df49356b542eab12cdadf8394cd7f4b2b88fbbb06c9b7f2a2aecd2164958c4
Opcode Fuzzy Hash: 7c88cfab9602263a2b1fcdefb9c47005508133c5c8c056cdfef627cce467250b
Instruction Fuzzy Hash: 3C315CB070D291CBEB90AFAAD58231A77F8EB86348F19852DD5848BF40D735C446DB82

Function 6CC3C7C0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6CC3C7D9
_unlock.MSVCRT ref: 6CC3C801
calloc.MSVCRT ref: 6CC3C84F

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 01cfb712d85b6e4d619ce68922cd4ea2a4d205ce6739300ed457df455a6d115e
Instruction ID: 2c1e1e33d10f342b450901570dc48cf3302b4fff86ca8d3ad56df8665a2ff12a
Opcode Fuzzy Hash: 01cfb712d85b6e4d619ce68922cd4ea2a4d205ce6739300ed457df455a6d115e
Instruction Fuzzy Hash: 4A113A71A042318FD740AF29E48079ABBE0BF89354F159A69D89CCB745FB34C944CBA2

Function 6CC35FC0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 6CC35FF0
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CC346F9), ref: 6CC35FFC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CC346F9), ref: 6CC3600E
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CC346F9), ref: 6CC3601E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CC346F9), ref: 6CC36030

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ObjectSingleWait
String ID:
API String ID: 1755037574-0
Opcode ID: 7a5462ea3850e60571cd9be30671d00f0435d598fa4e552f4e8874aa75326afd
Instruction ID: 4fe226dea79ff969b5d271a0712ab31558211722f947e3de6dafeb3cbb1584f7
Opcode Fuzzy Hash: 7a5462ea3850e60571cd9be30671d00f0435d598fa4e552f4e8874aa75326afd
Instruction Fuzzy Hash: EA019EB1608354CFEB00BF7DE98755ABBB8AF96214F010629E98443F18E630E459CB97

Function 6CC35E90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 6CC35EB2
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CC35F65), ref: 6CC35ECB
abort.MSVCRT ref: 6CC35EF5

Strings

runtime: failed to create runtime initialization wait event., xrefs: 6CC35EE5

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID: CreateCriticalEventInitializeSectionabort
String ID: runtime: failed to create runtime initialization wait event.
API String ID: 3843693739-3277801083
Opcode ID: 0d5be6cc69e000815f88dacb6819b7284135b8837bcfbf8fdcd78ea7a71208fc
Instruction ID: 31dc57ea9f146bd1f69418863747cdbd92896fd3a53730b891989f40e6660833
Opcode Fuzzy Hash: 0d5be6cc69e000815f88dacb6819b7284135b8837bcfbf8fdcd78ea7a71208fc
Instruction Fuzzy Hash: 3FF017B19097118FEB00BF78D50A35EBAF4BB41348F81895CD48987A54FB79C1498B93

Function 6CC3C8F0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 6CC3C942
MultiByteToWideChar.KERNEL32 ref: 6CC3C985

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 23a3dea5d79ac44a40e59ff8430b05f7be707ee6346e6fe689ee6bf9a911d86d
Instruction ID: 64122b75e0df656cd9b617aef356c586db52258e3c533b3bffb3968f9d5562c1
Opcode Fuzzy Hash: 23a3dea5d79ac44a40e59ff8430b05f7be707ee6346e6fe689ee6bf9a911d86d
Instruction Fuzzy Hash: 0431F3B15093618FD700EF29E08420EBBF0BF86358F008A5EE8D987650E376D949CB42

Function 6CC366A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6CC36721

Strings

NaN, xrefs: 6CC366A1

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: cf7614440ec6851ca82ea40031330610d20ebf86e678fa2553d9f1a1c36698a7
Instruction ID: 1e208be5833aab80254a267df0933600626431a67087a440d8d569fcac82462a
Opcode Fuzzy Hash: cf7614440ec6851ca82ea40031330610d20ebf86e678fa2553d9f1a1c36698a7
Instruction Fuzzy Hash: 724118B5A05A25CBCB10CF19D484746B7E1BF86748B699399DC8CCF74AE332D846CB90

Function 6CC3A850 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,6CC3A971,?,?,?,?,?,?,00000000,6CC38C14), ref: 6CC3A877
InitializeCriticalSection.KERNEL32(?,?,?,?,6CC3A971,?,?,?,?,?,?,00000000,6CC38C14), ref: 6CC3A8B4
InitializeCriticalSection.KERNEL32(?,?,?,?,?,6CC3A971,?,?,?,?,?,?,00000000,6CC38C14), ref: 6CC3A8C0
EnterCriticalSection.KERNEL32(?,?,?,?,6CC3A971,?,?,?,?,?,?,00000000,6CC38C14), ref: 6CC3A8E8

Memory Dump Source

Source File: 00000003.00000002.2073971930.000000006CBA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBA0000, based on PE: true

Associated: 00000003.00000002.2073957282.000000006CBA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074041099.000000006CC3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074057736.000000006CC3E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074072420.000000006CC3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074091147.000000006CC44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074159047.000000006CCED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074179673.000000006CCF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074218241.000000006CD0B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074233670.000000006CD12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074253157.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2074270497.000000006CD16000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cba0000_rundll32.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: cb4d6e06b20156c684ce71473877f85e92276f3f3adcac6c65bee256282e446d
Instruction ID: ec35fb1fc6e56a621b3bae2a2926c227ef88662b7c7c4dc0270baf265dc1daf9
Opcode Fuzzy Hash: cb4d6e06b20156c684ce71473877f85e92276f3f3adcac6c65bee256282e446d
Instruction Fuzzy Hash: 3411E1B16152248AEF00BBACB08725A37F8EF96354F110525D95AC7E10F631D4A7C793

Analysis Process: rundll32.exePID: 1672, Parent PID: 4092COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 6CE9CFC0 Relevance: 1.5, APIs: 1, Instructions: 21
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE ref: 6CE9CFE8

Memory Dump Source

Source File: 0000000D.00000002.2175307202.000000006CE31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE30000, based on PE: true

Associated: 0000000D.00000002.2175226750.000000006CE30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175567184.000000006CECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175651658.000000006CECE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175724951.000000006CECF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175802259.000000006CED4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176106623.000000006CF7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176291882.000000006CF9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176349250.000000006CFA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176411917.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176471142.000000006CFA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ce30000_rundll32.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction ID: 820e7c53382bb6a332aba16a7ffec404e54b0265315eeaf53508a1385cb48f21
Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction Fuzzy Hash: 1FE0E571505600CFCB15EF18C2C170ABBF1EB48A00F0485A8DE098FB4AD734ED10CB92

Non-executed Functions

Function 6CECB7C0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 6CECB7EF
vfprintf.MSVCRT ref: 6CECB80F
abort.MSVCRT ref: 6CECB814
VirtualQuery.KERNEL32 ref: 6CECB8AB

Strings

VirtualProtect failed with code 0x%x, xrefs: 6CECB926
Mingw-w64 runtime failure:, xrefs: 6CECB7E8
VirtualQuery failed for %d bytes at address %p, xrefs: 6CECB957
Address %p has no image-section, xrefs: 6CECB96B

Memory Dump Source

Source File: 0000000D.00000002.2175307202.000000006CE31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE30000, based on PE: true

Associated: 0000000D.00000002.2175226750.000000006CE30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175567184.000000006CECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175651658.000000006CECE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175724951.000000006CECF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175802259.000000006CED4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176106623.000000006CF7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176291882.000000006CF9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176349250.000000006CFA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176411917.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176471142.000000006CFA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ce30000_rundll32.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 0cf6254c4c546d0392356702f8044d7d289fd833dbb57fb641c34a0e4b450834
Instruction ID: 149775191ad8373aec6ac9210ae2d97bd8b26b7cca52b3ee6b8e83a0c080f130
Opcode Fuzzy Hash: 0cf6254c4c546d0392356702f8044d7d289fd833dbb57fb641c34a0e4b450834
Instruction Fuzzy Hash: D85136B2A14301DFCB40DF68D58574AFBF4BF85318F658A1DE8A89B710D734E4498B92

Function 6CECB980 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Unknown pseudo relocation protocol version %d., xrefs: 6CECBC73
Unknown pseudo relocation bit size %d., xrefs: 6CECBAED
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6CECBAA0

Memory Dump Source

Source File: 0000000D.00000002.2175307202.000000006CE31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE30000, based on PE: true

Associated: 0000000D.00000002.2175226750.000000006CE30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175567184.000000006CECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175651658.000000006CECE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175724951.000000006CECF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175802259.000000006CED4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176106623.000000006CF7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176291882.000000006CF9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176349250.000000006CFA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176411917.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176471142.000000006CFA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ce30000_rundll32.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: a779399dbf2e3ffb260ad0d18fbfcdd4a0e778df3c075ef1120d97cbd888dd40
Instruction ID: 4c3ac64e0536678e5355e64781d4d42242d90856464ff78973b8417ba72ab7f9
Opcode Fuzzy Hash: a779399dbf2e3ffb260ad0d18fbfcdd4a0e778df3c075ef1120d97cbd888dd40
Instruction Fuzzy Hash: 4E919C72E14216CBCB10DF68D680B9EB7F4BF45308F299669D864ABB04D334E8458B92

Function 6CEC68E0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6CEC69B1

Strings

0, xrefs: 6CEC6E2E
o, xrefs: 6CEC6D98

Memory Dump Source

Source File: 0000000D.00000002.2175307202.000000006CE31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE30000, based on PE: true

Associated: 0000000D.00000002.2175226750.000000006CE30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175567184.000000006CECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175651658.000000006CECE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175724951.000000006CECF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175802259.000000006CED4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176106623.000000006CF7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176291882.000000006CF9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176349250.000000006CFA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176411917.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176471142.000000006CFA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ce30000_rundll32.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: ebefbe6945bd7e9b28a0da70524577bbcc1c22ea509cf173d45d016b6e072430
Instruction ID: 5d54d0841d39a5f06147225db731ba1bca482fb63dc5055561fedfe0a2d0a2a2
Opcode Fuzzy Hash: ebefbe6945bd7e9b28a0da70524577bbcc1c22ea509cf173d45d016b6e072430
Instruction Fuzzy Hash: B1F18471B046058FCB04CF68C5806AEBBF6BF89364F29C229D864EB751D734E945CB92

Function 6CE313E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6CE313F0
LoadLibraryA.KERNEL32 ref: 6CE31406
GetProcAddress.KERNEL32 ref: 6CE31425
GetProcAddress.KERNEL32 ref: 6CE31437

Strings

__deregister_frame_info, xrefs: 6CE3142C
libgcc_s_dw2-1.dll, xrefs: 6CE313E9, 6CE313FF
__register_frame_info, xrefs: 6CE3141A

Memory Dump Source

Source File: 0000000D.00000002.2175307202.000000006CE31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE30000, based on PE: true

Associated: 0000000D.00000002.2175226750.000000006CE30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175567184.000000006CECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175651658.000000006CECE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175724951.000000006CECF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175802259.000000006CED4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176106623.000000006CF7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176291882.000000006CF9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176349250.000000006CFA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176411917.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176471142.000000006CFA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ce30000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 89fd5fcd815cfccb5d8d7af6966bacf0aaa070cbd96c4e07da85edccb1788c2a
Instruction ID: 0e6e911baadcdc5eb703535b58f22122feea07550d2303071306a1e950045466
Opcode Fuzzy Hash: 89fd5fcd815cfccb5d8d7af6966bacf0aaa070cbd96c4e07da85edccb1788c2a
Instruction Fuzzy Hash: CD0171B2A193508BC7007FB8B50735EBEF4EB42244F12543ED98987614D731E405CBA3

Function 6CEC8050 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 6CEC8068

Strings

NaN, xrefs: 6CEC8A2B
Inf, xrefs: 6CEC8B25, 6CEC8B3D
@, xrefs: 6CEC8337

Memory Dump Source

Source File: 0000000D.00000002.2175307202.000000006CE31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE30000, based on PE: true

Associated: 0000000D.00000002.2175226750.000000006CE30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175567184.000000006CECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175651658.000000006CECE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175724951.000000006CECF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175802259.000000006CED4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176106623.000000006CF7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176291882.000000006CF9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176349250.000000006CFA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176411917.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176471142.000000006CFA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ce30000_rundll32.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 9e4378b54cd2eec39ceabbbc635e426485ec49d7ee64cbcd14c322d0d64a60eb
Instruction ID: 6f48909985b170b73f76a59f1b8a63402ef24e33fe7a4f472c2046e1599cb88b
Opcode Fuzzy Hash: 9e4378b54cd2eec39ceabbbc635e426485ec49d7ee64cbcd14c322d0d64a60eb
Instruction Fuzzy Hash: CFF18E7170C3818BD7318E24C69079BBBF1BB86318F258A1ED9EC97782D73599068B43

Function 6CEC6E50 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

0, xrefs: 6CEC71B6
@, xrefs: 6CEC711A

Memory Dump Source

Source File: 0000000D.00000002.2175307202.000000006CE31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE30000, based on PE: true

Associated: 0000000D.00000002.2175226750.000000006CE30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175567184.000000006CECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175651658.000000006CECE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175724951.000000006CECF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175802259.000000006CED4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176106623.000000006CF7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176291882.000000006CF9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176349250.000000006CFA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176411917.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176471142.000000006CFA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ce30000_rundll32.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: db53b3412e21b14b64fd966cdfaba44a868fe3b057c10bed8708d4ee68713ec0
Instruction ID: 85692e86760f3312b2074e541a64f1d6c4cfdd1422eb4638e5fb3c3659036831
Opcode Fuzzy Hash: db53b3412e21b14b64fd966cdfaba44a868fe3b057c10bed8708d4ee68713ec0
Instruction Fuzzy Hash: 61C16071B042158FDB04CF69C68178EBBF5BF89318F248259EC64AB785D335E845CB92

Function 6CECCD90 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6CECCD9C
GetProcAddress.KERNEL32 ref: 6CECCDBC
GetProcAddress.KERNEL32 ref: 6CECCDFB

Strings

msvcrt.dll, xrefs: 6CECCD95
__lc_codepage, xrefs: 6CECCDF0
___lc_codepage_func, xrefs: 6CECCDB4

Memory Dump Source

Source File: 0000000D.00000002.2175307202.000000006CE31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE30000, based on PE: true

Associated: 0000000D.00000002.2175226750.000000006CE30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175567184.000000006CECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175651658.000000006CECE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175724951.000000006CECF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175802259.000000006CED4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176106623.000000006CF7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176291882.000000006CF9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176349250.000000006CFA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176411917.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176471142.000000006CFA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ce30000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: 7df98d928e0289bfab05d09bc97db8a8aaaba4a3b6f947974a74b69f5028027f
Instruction ID: 8dcd9c52c509a30b598da15349207bb4492bc170d2182b0690e014b4db2225a4
Opcode Fuzzy Hash: 7df98d928e0289bfab05d09bc97db8a8aaaba4a3b6f947974a74b69f5028027f
Instruction Fuzzy Hash: B4F06DB1B552208BDB40BF7C6A4629EBEF4AA05319F21453BD895DB604E630D444CBA3

Function 6CE31020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6CE31281,?,?,?,?,?,?,6CE313AE), ref: 6CE31057
_amsg_exit.MSVCRT ref: 6CE31086

Memory Dump Source

Source File: 0000000D.00000002.2175307202.000000006CE31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE30000, based on PE: true

Associated: 0000000D.00000002.2175226750.000000006CE30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175567184.000000006CECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175651658.000000006CECE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175724951.000000006CECF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175802259.000000006CED4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176106623.000000006CF7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176291882.000000006CF9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176349250.000000006CFA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176411917.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176471142.000000006CFA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ce30000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: adddb807bafc75133cd1d48b8318f8bdb3d80160c2d2e48dcbff42efa7c07133
Instruction ID: 14ce8288e011d8de9febdd66b802022129cd6b4e775712b794837433750763ed
Opcode Fuzzy Hash: adddb807bafc75133cd1d48b8318f8bdb3d80160c2d2e48dcbff42efa7c07133
Instruction Fuzzy Hash: B0319F71B18260CBDB40AFE9D58475ABBF0EF86348F21942DC4588BB04D779E486DF92

Function 6CECC7C0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6CECC7D9
_unlock.MSVCRT ref: 6CECC801
calloc.MSVCRT ref: 6CECC84F

Memory Dump Source

Source File: 0000000D.00000002.2175307202.000000006CE31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE30000, based on PE: true

Associated: 0000000D.00000002.2175226750.000000006CE30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175567184.000000006CECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175651658.000000006CECE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175724951.000000006CECF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175802259.000000006CED4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176106623.000000006CF7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176291882.000000006CF9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176349250.000000006CFA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176411917.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176471142.000000006CFA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ce30000_rundll32.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 01cfb712d85b6e4d619ce68922cd4ea2a4d205ce6739300ed457df455a6d115e
Instruction ID: 68cfdabf3331de6d3cfbe06221e3b6136111c101b813410dd7240e51837447c6
Opcode Fuzzy Hash: 01cfb712d85b6e4d619ce68922cd4ea2a4d205ce6739300ed457df455a6d115e
Instruction Fuzzy Hash: 62113D727042018FD740AF28C6C075ABBF0EF49218F25856DD8A8CB745EB34D845CB53

Function 6CEC5FC0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 6CEC5FF0
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CEC46F9), ref: 6CEC5FFC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CEC46F9), ref: 6CEC600E
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CEC46F9), ref: 6CEC601E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CEC46F9), ref: 6CEC6030

Memory Dump Source

Source File: 0000000D.00000002.2175307202.000000006CE31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE30000, based on PE: true

Associated: 0000000D.00000002.2175226750.000000006CE30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175567184.000000006CECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175651658.000000006CECE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175724951.000000006CECF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175802259.000000006CED4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176106623.000000006CF7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176291882.000000006CF9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176349250.000000006CFA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176411917.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176471142.000000006CFA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ce30000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ObjectSingleWait
String ID:
API String ID: 1755037574-0
Opcode ID: 4887dfb914f905ff6466659049c1cde63a3d722efe3145414adcbe0c8a01cf04
Instruction ID: 70a9bb3eb603670f7b42b60b72cdeb136b3300b2fe094cdfb38ab504ca43455b
Opcode Fuzzy Hash: 4887dfb914f905ff6466659049c1cde63a3d722efe3145414adcbe0c8a01cf04
Instruction Fuzzy Hash: 7A0180B1A18354CBCB10BFBDD58761EFBF4AB82254F224629D8D043A14E730E409CBA3

Function 6CEC5E90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 6CEC5EB2
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CEC5F65), ref: 6CEC5ECB
abort.MSVCRT ref: 6CEC5EF5

Strings

runtime: failed to create runtime initialization wait event., xrefs: 6CEC5EE5

Memory Dump Source

Source File: 0000000D.00000002.2175307202.000000006CE31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE30000, based on PE: true

Associated: 0000000D.00000002.2175226750.000000006CE30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175567184.000000006CECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175651658.000000006CECE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175724951.000000006CECF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175802259.000000006CED4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176106623.000000006CF7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176291882.000000006CF9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176349250.000000006CFA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176411917.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176471142.000000006CFA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ce30000_rundll32.jbxd

Similarity

API ID: CreateCriticalEventInitializeSectionabort
String ID: runtime: failed to create runtime initialization wait event.
API String ID: 3843693739-3277801083
Opcode ID: aa7d7f2a07fad51481182a3604e27755ce4bfb7db7a71b141ae314393db5ab5b
Instruction ID: ba714fcee78f7617122c1a5a9f3ab6beab14f522543d47bc0133d4c462eb7361
Opcode Fuzzy Hash: aa7d7f2a07fad51481182a3604e27755ce4bfb7db7a71b141ae314393db5ab5b
Instruction Fuzzy Hash: 65F01DB1A09701CFEB40BFB8D20A35EBAF0BB41304FA2885CD49587640EB79D108DB53

Function 6CECC8F0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 6CECC942
MultiByteToWideChar.KERNEL32 ref: 6CECC985

Memory Dump Source

Source File: 0000000D.00000002.2175307202.000000006CE31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE30000, based on PE: true

Associated: 0000000D.00000002.2175226750.000000006CE30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175567184.000000006CECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175651658.000000006CECE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175724951.000000006CECF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175802259.000000006CED4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176106623.000000006CF7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176291882.000000006CF9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176349250.000000006CFA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176411917.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176471142.000000006CFA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ce30000_rundll32.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: aab56cc4ad121f4b05259d7802772f4bc1cc2a7f9ba37cc2ca46f6a512ae78b4
Instruction ID: c1541325242e9cabb4e826780855fb9eeaf4005c62f2ccf65e459c45fc69f1e5
Opcode Fuzzy Hash: aab56cc4ad121f4b05259d7802772f4bc1cc2a7f9ba37cc2ca46f6a512ae78b4
Instruction Fuzzy Hash: 9D31D3B16093418FD700EF29D58434ABBF0BF86358F24891EE8A587350D376D949CB43

Function 6CEC66A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6CEC6721

Strings

NaN, xrefs: 6CEC66A1

Memory Dump Source

Source File: 0000000D.00000002.2175307202.000000006CE31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE30000, based on PE: true

Associated: 0000000D.00000002.2175226750.000000006CE30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175567184.000000006CECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175651658.000000006CECE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175724951.000000006CECF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175802259.000000006CED4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176106623.000000006CF7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176291882.000000006CF9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176349250.000000006CFA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176411917.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176471142.000000006CFA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ce30000_rundll32.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: cf7614440ec6851ca82ea40031330610d20ebf86e678fa2553d9f1a1c36698a7
Instruction ID: 19b0c963f5bf4a3a5ab9f01982144f2d899ff88549fff97343b410ee4234f585
Opcode Fuzzy Hash: cf7614440ec6851ca82ea40031330610d20ebf86e678fa2553d9f1a1c36698a7
Instruction Fuzzy Hash: 724128B5B05211CBCB00CF18C684766B7F9AF85708B3986A9DC68CF74AD336D816CB91

Function 6CECA850 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,6CECA971,?,?,?,?,?,?,00000000,6CEC8C14), ref: 6CECA877
InitializeCriticalSection.KERNEL32(?,?,?,?,6CECA971,?,?,?,?,?,?,00000000,6CEC8C14), ref: 6CECA8B4
InitializeCriticalSection.KERNEL32(?,?,?,?,?,6CECA971,?,?,?,?,?,?,00000000,6CEC8C14), ref: 6CECA8C0
EnterCriticalSection.KERNEL32(?,?,?,?,6CECA971,?,?,?,?,?,?,00000000,6CEC8C14), ref: 6CECA8E8

Memory Dump Source

Source File: 0000000D.00000002.2175307202.000000006CE31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE30000, based on PE: true

Associated: 0000000D.00000002.2175226750.000000006CE30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175567184.000000006CECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175651658.000000006CECE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175724951.000000006CECF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2175802259.000000006CED4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176106623.000000006CF7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF83000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176171131.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176291882.000000006CF9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176349250.000000006CFA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176411917.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2176471142.000000006CFA6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ce30000_rundll32.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: 1eb0bef8a96177b2c0656a24dc314962322ff889f5928e59e71591e89d6612f3
Instruction ID: 2cab3976289702397d46a8f279943bbfc2d071ced14f00691c9bf579efd319e7
Opcode Fuzzy Hash: 1eb0bef8a96177b2c0656a24dc314962322ff889f5928e59e71591e89d6612f3
Instruction Fuzzy Hash: 9E118EB2E55215CBDF00ABA8A5CA39DB7F4AB46358F224525C862C7700E635D48AC793

File type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.2899978468688
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	D3S2SyPdiw.dll
File size:	1'397'248 bytes
MD5:	234fa81ac8057a55e9678cf0463a6ba6
SHA1:	49433e972cd1322e28204405947e19138a872e55
SHA256:	000e80b5f82b0a0a7c53a136c7066b8ad5661fd02f642ad8fe64f1287d52f92c
SHA512:	274fad0e48ed851cc7b1abedf6f28f78d5d0c288bb6ba62bc9dbb4b493e7f1433bb3d308339fcd5afbbf7e794b232fd1418fb3fd43678481608022bce69f3337
SSDEEP:	24576:K5SWzHvnfLvXM1BSNZZYViEPXM/3qr5zMJCl+0OnMgyw:KPDq4pCoNd
TLSH:	9C552900FD8744F1E003263285A7A2AF63256D094F31DBD7FB48BA7DFA736954836296
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...*.....N...N.................m......................................@... ...................... ..-..

Entrypoint:	0x6d8c1390
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x6d8c0000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x6d95b710, 0x6d95b6c0
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	fc4278e40a172f1e8b037cb3d2809e66

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x172000	0x12d	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x173000	0xbb0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x176000	0x882c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x14a444	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1731dc	0x1a0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9be78	0x9c000	4cba9500291619943447665529bf6915	False	0.47325721153846156	data	6.302861870566428	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x9d000	0x67ec	0x6800	74fdb077101910e98632f4aac264785c	False	0.4213115985576923	dBase III DBT, version number 0, next free block index 1, 1st item ""	4.461047421773977	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xa4000	0xa68cc	0xa6a00	98c470af5ee54fe9b746b907faf6c20d	False	0.43165674231057766	data	5.601434477594958	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x14b000	0x1e94	0x2000	b3586cda6a9f1266d88c9bd57736d705	False	0.3330078125	data	4.772055814218093	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x14d000	0x24df0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x172000	0x12d	0x200	c87fc8f8787817a98c6f2502635f9f1e	False	0.462890625	data	3.4271057556060756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x173000	0xbb0	0xc00	f9325c52db82893fba8d59d311b3a681	False	0.408203125	data	5.213100684276811	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x174000	0x2c	0x200	39d753f3f872fc69a1bf3c2eedf6fbbd	False	0.056640625	data	0.2069200177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x175000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x176000	0x882c	0x8a00	b74fd00ee9b0319a1fe064eeff43efa8	False	0.6625339673913043	data	6.627412753213743	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report D3S2SyPdiw.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll32.exePID: 4092, Parent PID: 1028

General

Chronological Activities

Analysis Process: conhost.exePID: 6424, Parent PID: 4092

General

Chronological Activities

Analysis Process: cmd.exePID: 6472, Parent PID: 4092

General

Chronological Activities

Analysis Process: rundll32.exePID: 2316, Parent PID: 4092

Windows Analysis Report
D3S2SyPdiw.dll

Function 6CC0CFC0 Relevance: 1.5, APIs: 1, Instructions: 21
fileCOMMON

Function 6CBB59F0 Relevance: 18.5, Strings: 14, Instructions: 1019
COMMON

Function 6CBC93F0 Relevance: 16.9, Strings: 13, Instructions: 643
COMMON

Function 6CBD1570 Relevance: 16.4, Strings: 13, Instructions: 150
COMMON