Edit tour

Windows Analysis Report
WW15vnG9EY.dll

Overview

General Information

Sample name:	WW15vnG9EY.dll renamed because original name is a hash value
Original sample name:	70ebafe5935dc5fa81a5e82e5f9ed83c7862e3d785f6b52351703d44e644dbfa.dll
Analysis ID:	1544792
MD5:	4da91b21a75c396b98219ddf500051b7
SHA1:	c84478746587c5bef9f1d2550629660197cd0b7b
SHA256:	70ebafe5935dc5fa81a5e82e5f9ed83c7862e3d785f6b52351703d44e644dbfa
Tags:	2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5500 cmdline: loaddll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 1080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2436 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 4800 cmdline: rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 2024 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 836 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 1476 cmdline: rundll32.exe C:\Users\user\Desktop\WW15vnG9EY.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 6552 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 828 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 5324 cmdline: rundll32.exe C:\Users\user\Desktop\WW15vnG9EY.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3428 cmdline: rundll32.exe C:\Users\user\Desktop\WW15vnG9EY.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6496 cmdline: rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 1708 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 864 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 2992 cmdline: rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5256 cmdline: rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1832 cmdline: rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3004 cmdline: rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SpellSpell MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4232 cmdline: rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SpellInit MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4876 cmdline: rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SpellFree MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5588 cmdline: rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4416 cmdline: rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4064 cmdline: rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0C1830		3_2_6D0C1830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D101830		13_2_6D101830

Source: WW15vnG9EY.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: WW15vnG9EY.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	3_2_6D092CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	3_2_6D092CA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	3_2_6D0ACEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	3_2_6D0B9030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	3_2_6D0BA360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	13_2_6D0D2CA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	13_2_6D0D2CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	13_2_6D0ECEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	13_2_6D0F9030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	13_2_6D0FA360

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0C1A70 NtCreateWaitCompletionPacket,	3_2_6D0C1A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0C2A90 NtCreateWaitCompletionPacket,	3_2_6D0C2A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0C1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,	3_2_6D0C1570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0C11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,	3_2_6D0C11F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D101A70 NtCreateWaitCompletionPacket,	13_2_6D101A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D102A90 NtCreateWaitCompletionPacket,	13_2_6D102A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D101570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,	13_2_6D101570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D1011F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,	13_2_6D1011F0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0EBD40	3_2_6D0EBD40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D116D40	3_2_6D116D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0BAD50	3_2_6D0BAD50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D092CA0	3_2_6D092CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D092CA6	3_2_6D092CA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D122F90	3_2_6D122F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0CCF90	3_2_6D0CCF90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0E5FF0	3_2_6D0E5FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D114E40	3_2_6D114E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D09BE90	3_2_6D09BE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0FA992	3_2_6D0FA992
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0BD9C5	3_2_6D0BD9C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0A59F0	3_2_6D0A59F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0ED800	3_2_6D0ED800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D10E860	3_2_6D10E860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D116860	3_2_6D116860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D127B10	3_2_6D127B10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0BBB10	3_2_6D0BBB10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D09FBC0	3_2_6D09FBC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0BCA30	3_2_6D0BCA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D115AF0	3_2_6D115AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0A0AF0	3_2_6D0A0AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0B3400	3_2_6D0B3400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0F344F	3_2_6D0F344F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0B1440	3_2_6D0B1440
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0D6470	3_2_6D0D6470
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0B6630	3_2_6D0B6630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D112680	3_2_6D112680
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0E8690	3_2_6D0E8690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1196C0	3_2_6D1196C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0BC6D0	3_2_6D0BC6D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D10D010	3_2_6D10D010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0C6010	3_2_6D0C6010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0BD040	3_2_6D0BD040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0BC080	3_2_6D0BC080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0A80A0	3_2_6D0A80A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0990F0	3_2_6D0990F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0CA320	3_2_6D0CA320
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D123350	3_2_6D123350
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0F73A0	3_2_6D0F73A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0B93F0	3_2_6D0B93F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0CE240	3_2_6D0CE240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0932A0	3_2_6D0932A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0BB2D0	3_2_6D0BB2D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D12BD40	13_2_6D12BD40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D156D40	13_2_6D156D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0FAD50	13_2_6D0FAD50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0D2CA6	13_2_6D0D2CA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0D2CA0	13_2_6D0D2CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D10CF90	13_2_6D10CF90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D162F90	13_2_6D162F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D125FF0	13_2_6D125FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D154E40	13_2_6D154E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0DBE90	13_2_6D0DBE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D13A992	13_2_6D13A992
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0FD9C5	13_2_6D0FD9C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0E59F0	13_2_6D0E59F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D12D800	13_2_6D12D800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D14E860	13_2_6D14E860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D156860	13_2_6D156860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D167B10	13_2_6D167B10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0FBB10	13_2_6D0FBB10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0DFBC0	13_2_6D0DFBC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0FCA30	13_2_6D0FCA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D155AF0	13_2_6D155AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0E0AF0	13_2_6D0E0AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0F3400	13_2_6D0F3400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0F1440	13_2_6D0F1440
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D13344F	13_2_6D13344F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D116470	13_2_6D116470
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0F6630	13_2_6D0F6630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D128690	13_2_6D128690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D152680	13_2_6D152680
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D1596C0	13_2_6D1596C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0FC6D0	13_2_6D0FC6D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D106010	13_2_6D106010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D14D010	13_2_6D14D010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0FD040	13_2_6D0FD040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0FC080	13_2_6D0FC080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0E80A0	13_2_6D0E80A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0D90F0	13_2_6D0D90F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D10A320	13_2_6D10A320
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D163350	13_2_6D163350
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D1373A0	13_2_6D1373A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0F93F0	13_2_6D0F93F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D10E240	13_2_6D10E240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0D32A0	13_2_6D0D32A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6D0FB2D0	13_2_6D0FB2D0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D136BB0 appears 482 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D107410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D0C7410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D0F6BB0 appears 482 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 828

Source: WW15vnG9EY.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal48.mine.winDLL@35/0@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D125CF0 GetLastError,FormatMessageA,LocalFree,

3_2_6D125CF0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1080:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c6458ac8-0653-452c-82ed-4dcac49bf54c

Jump to behavior

Source: WW15vnG9EY.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WW15vnG9EY.dll,BarCreate

Source: rundll32.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe	String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe	String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe	String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe	String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exe	String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe	String found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exe	String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe	String found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WW15vnG9EY.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 828
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 836
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WW15vnG9EY.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WW15vnG9EY.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 864
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WW15vnG9EY.dll,BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WW15vnG9EY.dll,BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WW15vnG9EY.dll,BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SpellSpell	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SpellInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SpellFree	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SignalInitializeCrashReporting	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",GetInstallDetailsPayload	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarRecognize	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: WW15vnG9EY.dll

Static PE information: Image base 0x6d8c0000 > 0x60000000

Source: WW15vnG9EY.dll

Static file information: File size 1397248 > 1048576

Source: WW15vnG9EY.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0913E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6D0913E0

Source: WW15vnG9EY.dll

Static PE information: real checksum: 0x15d76d should be: 0x16140a

Source: WW15vnG9EY.dll

Static PE information: section name: .eh_fram

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0103AF38 push eax; retf	0_2_0103AF39
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01080353 push 49A291CCh; ret	0_2_01080358
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0503C884 push edx; ret	4_2_0503C885
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04C8042D push dword ptr [eax+52D9574Bh]; iretd	11_2_04C80436
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0443D248 push dword ptr [esi+291909C3h]; iretd	12_2_0443D26F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0503AF59 push eax; retf	14_2_0503AF61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0503AF38 push eax; retf	16_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_05080336 push eax; retf	16_2_0508035D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0483D229 pushfd ; retf	19_2_0483D22C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0483AF38 push eax; retf	19_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0443AF38 push eax; retf	20_2_0443AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_0483AF38 push eax; retf	21_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_0483AF60 push eax; retf	22_2_0483AF61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_0483C87D pushfd ; iretd	22_2_0483C88A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_04880353 push esi; iretd	22_2_04880376
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0543D7C5 push ds; retf	23_2_0543D7F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_0503D253 push ebp; retf	24_2_0503D254
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_0503D2F3 push esp; retf	24_2_0503D2F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_0503AF38 push eax; retf	24_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_05080411 pushad ; retf	24_2_05080413
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_0510443E pushad ; ret	24_2_0510443F

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0FC1E0 rdtscp

3_2_6D0FC1E0

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.0 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0FC1E0 rdtscp

3_2_6D0FC1E0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0913E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6D0913E0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D124FE0 free,free,GetProcessHeap,HeapFree,

3_2_6D124FE0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0C1C90 RtlGetVersion,RtlGetCurrentPeb,

3_2_6D0C1C90

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Rundll32	OS Credential Dumping	3 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
WW15vnG9EY.dll	5%	ReversingLabs

Domains and IPs

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544792
Start date and time:	2024-10-29 18:51:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WW15vnG9EY.dll renamed because original name is a hash value
Original Sample Name:	70ebafe5935dc5fa81a5e82e5f9ed83c7862e3d785f6b52351703d44e644dbfa.dll
Detection:	MAL
Classification:	mal48.mine.winDLL@35/0@0/0
EGA Information:	Successful, ratio: 13.3%
HCA Information:	Successful, ratio: 67% Number of executed functions: 6 Number of non-executed functions: 108
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target loaddll32.exe, PID 5500 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 1832 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 2992 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 3004 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 3428 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 4064 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 4232 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 4416 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 4800 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 4876 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 5256 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 5324 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 5588 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
VT rate limit hit for: WW15vnG9EY.dll

Simulations

Behavior and APIs

Time	Type	Description
13:52:17	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetLastError, GetModuleHandleA, GetModuleHandleW, GetNativeSystemInfo, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetThreadContext, GetThreadLocale, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, PostQueuedCompletionStatus, RaiseFailFastException, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, lstrlenA

msvcrt.dll

__mb_cur_max, _amsg_exit, _beginthread, _errno, _initterm, _iob, _lock, _unlock, _wcsnicmp, abort, atoi, bsearch, calloc, fputc, free, fwrite, localeconv, malloc, mbstowcs, memcpy, memset, qsort, realloc, setlocale, strchr, strcmp, strerror, strlen, strncmp, strtol, vfprintf, wcslen, wcstombs

Exports

Name	Ordinal	Address
BarCreate	1	0x6d9546f0
BarDestroy	2	0x6d954970
BarFreeRec	3	0x6d954920
BarRecognize	4	0x6d9548d0
GetInstallDetailsPayload	5	0x6d954830
SignalInitializeCrashReporting	6	0x6d954880
SpellFree	7	0x6d954740
SpellInit	8	0x6d954790
SpellSpell	9	0x6d9547e0
_cgo_dummy_export	10	0x6da313a8

Target ID:	0
Start time:	13:52:06
Start date:	29/10/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll"
Imagebase:	0xc0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:52:06
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:52:06
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",#1
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:52:06
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\WW15vnG9EY.dll,BarCreate
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:52:06
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",#1
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:52:07
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 828
Imagebase:	0x350000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:52:07
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 836
Imagebase:	0x350000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:52:09
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\WW15vnG9EY.dll,BarDestroy
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:52:12
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\WW15vnG9EY.dll,BarFreeRec
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:52:16
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarCreate
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:52:16
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarDestroy
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:52:16
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarFreeRec
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:52:16
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",_cgo_dummy_export
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	13:52:16
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 864
Imagebase:	0x350000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:52:16
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SpellSpell
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:52:16
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SpellInit
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	13:52:16
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SpellFree
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	13:52:17
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",SignalInitializeCrashReporting
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:52:17
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",GetInstallDetailsPayload
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	13:52:17
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\WW15vnG9EY.dll",BarRecognize
Imagebase:	0xc10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	14
Total number of Limit Nodes:	1

Executed Functions

Function 6D126170 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_beginthread.MSVCRT ref: 6D126196
_errno.MSVCRT ref: 6D1261A1
_errno.MSVCRT ref: 6D1261A8
abort.MSVCRT ref: 6D1261CD
Sleep.KERNEL32 ref: 6D1261E6

Strings

runtime: failed to create new OS thread (%d), xrefs: 6D1261B9

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: _errno$Sleep_beginthreadabort
String ID: runtime: failed to create new OS thread (%d)
API String ID: 3675047324-3231778263
Opcode ID: 6494f717dbe32f1551345bb903f8e5f56cd8c08963544e89be5f26b508073c39
Instruction ID: f1d510a78f609dc2341d4d31b4c9da2bec820917200f86ead2fdaee495b1a6a8
Opcode Fuzzy Hash: 6494f717dbe32f1551345bb903f8e5f56cd8c08963544e89be5f26b508073c39
Instruction Fuzzy Hash: 0E016DB54093189FD700BF68D88972EBBF4FF85364F42491DE58983256C772A880DBA7

Function 6D1261F6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_beginthread.MSVCRT ref: 6D126196
_errno.MSVCRT ref: 6D1261A1
_errno.MSVCRT ref: 6D1261A8
abort.MSVCRT ref: 6D1261CD
Sleep.KERNEL32 ref: 6D1261E6

Strings

runtime: failed to create new OS thread (%d), xrefs: 6D1261B9

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: _errno$Sleep_beginthreadabort
String ID: runtime: failed to create new OS thread (%d)
API String ID: 3675047324-3231778263
Opcode ID: 93d49675a8e1a4873c41ee3390d20c2dcbecf16d84c86b01146170eb86a8f70c
Instruction ID: 1178d61f657ead21665ccf993ad6df26e8fc70b1b8f86b36c1f5b555a87aeefc
Opcode Fuzzy Hash: 93d49675a8e1a4873c41ee3390d20c2dcbecf16d84c86b01146170eb86a8f70c
Instruction Fuzzy Hash: 81014FB5409314DFC700AF68D88976AFBF4FF8A365F42491CE68853255C775A880CBA2

Function 6D0FCFC0 Relevance: 1.5, APIs: 1, Instructions: 21
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE ref: 6D0FCFE8

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction ID: 83cfa5fc3b8677a28bab34e91b49d7d3f2e2041ae8fee30c9a0b70584cdff009
Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction Fuzzy Hash: C5E0E571505600CFDB15DF18C2C171ABBE1EB48A00F0485A8DE098F74AD734ED14CB92

Non-executed Functions

Function 6D0A59F0 Relevance: 18.5, Strings: 14, Instructions: 1019
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE, xrefs: 6D0A64EC
MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 6D0A6A06
gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma, xrefs: 6D0A629A
5, xrefs: 6D0A6C27
., xrefs: 6D0A61FE
MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=, xrefs: 6D0A699C
gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6D0A6C4A
gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= , xrefs: 6D0A5ABA
+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08, xrefs: 6D0A64A4, 6D0A678B
failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 6D0A6C34
non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo, xrefs: 6D0A6C1E
, xrefs: 6D0A606A
@s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12, xrefs: 6D0A62C7
ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid, xrefs: 6D0A68DC

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: $ @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=$ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid$+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08$.$5$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= $non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo
API String ID: 0-2575422049
Opcode ID: 6291a8e6b5640cc77e6ddf27220370e7b941761639cb6c2739985ea7f6dfc23d
Instruction ID: dc44b1305a0a5ce5526d23c14e27a01b9ae582b4f3d896ba1fe0a9c819a2a584
Opcode Fuzzy Hash: 6291a8e6b5640cc77e6ddf27220370e7b941761639cb6c2739985ea7f6dfc23d
Instruction Fuzzy Hash: 6FB2F5B46093408FD724EF68D190BAEBBF5BBC9304F56892ED98987351DB709844CF92

Function 6D0B93F0 Relevance: 16.9, Strings: 13, Instructions: 643
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc, xrefs: 6D0B96CD
runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer, xrefs: 6D0B976B
runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6D0B9CE8
, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:, xrefs: 6D0B9D15
, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu, xrefs: 6D0B9C04
bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D0B97A2, 6D0B9F68
, [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST, xrefs: 6D0B96F7, 6D0B9721, 6D0B9B44, 6D0B9B6E
runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard , xrefs: 6D0B9C5B
, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar, xrefs: 6D0B9BD7
] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt, xrefs: 6D0B9B1A
][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C, xrefs: 6D0B96A4, 6D0B9AED
runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D0B967A, 6D0B9AB3
, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc, xrefs: 6D0B9C88

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu$, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:$, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar$] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt$] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc$][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-566501290
Opcode ID: baa2fc7f1d7078900f056ae94b620c916b3b717c327e1c0b8ec16ae00297ee55
Instruction ID: b8a01d7d0cbb489d2043ae2c256d0cd1272fbb5b0c2d263b5e0bce899abfb893
Opcode Fuzzy Hash: baa2fc7f1d7078900f056ae94b620c916b3b717c327e1c0b8ec16ae00297ee55
Instruction Fuzzy Hash: 24523575A1C7458FE320DF68D48076EBBE1BF89304F52892DEA9887350D775A884CB93

Function 6D0C1570 Relevance: 16.4, Strings: 13, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 6D0C16A2
RtlGetCurrentPeb, xrefs: 6D0C1734
NtCreateWaitCompletionPacket, xrefs: 6D0C163E
ProcessPrng, xrefs: 6D0C15BF
NtAssociateWaitCompletionPacket, xrefs: 6D0C1690
, xrefs: 6D0C169A
NtCancelWaitCompletionPacket, xrefs: 6D0C16E2
NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no , xrefs: 6D0C17C5
bcryptprimitives.dll, xrefs: 6D0C158D
ntdll.dll, xrefs: 6D0C1608
P, xrefs: 6D0C17E4
bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible , xrefs: 6D0C1807
RtlGetVersion, xrefs: 6D0C177E

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: $ $NtAssociateWaitCompletionPacket$NtCancelWaitCompletionPacket$NtCreateWaitCompletionPacket$NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no $P$ProcessPrng$RtlGetCurrentPeb$RtlGetVersion$bcryptprimitives.dll$bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible $ntdll.dll
API String ID: 0-2332038095
Opcode ID: 248e187ca0c9823b1c6843dae2462b85d59856dc256a1270d4bd4ee584367a1e
Instruction ID: c8adb2e65d00a0c35b412daeafe81c6aabbeeac46a866e779c02c4252c6059a9
Opcode Fuzzy Hash: 248e187ca0c9823b1c6843dae2462b85d59856dc256a1270d4bd4ee584367a1e
Instruction Fuzzy Hash: E971A5B450A3029FEB04DF68E19076ABBF0BB8A344F11882DE99987340D7B4D449CF97

Function 6D0B3400 Relevance: 14.6, Strings: 11, Instructions: 876COMMON

Download Yara Rule

Strings

mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 6D0B41A9
nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo, xrefs: 6D0B3D81
, xrefs: 6D0B3E12
mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D0B3CE2, 6D0B4156
mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea, xrefs: 6D0B418A
sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket, xrefs: 6D0B3CB8, 6D0B412C
sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto, xrefs: 6D0B3C4F
previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 6D0B3DAB
mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 6D0B3D16
swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D0B3C65
sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket, xrefs: 6D0B3E09

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: $ mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo$ previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$ sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-893999930
Opcode ID: cdb9c63c8e435b13590e5a712b510eec3c000adbf88878b9b5c564e9e5eb6914
Instruction ID: 98a4b3847e8c28bcc9e07fa07ca6a5979d8f3273034f778afa91f522e2219c80
Opcode Fuzzy Hash: cdb9c63c8e435b13590e5a712b510eec3c000adbf88878b9b5c564e9e5eb6914
Instruction Fuzzy Hash: 3E8212B450C3958FE351DF28C080B6EBBE1BF89708F51886DE9D88B391DB719945CB92

Function 6D0C2A90 Relevance: 14.0, Strings: 11, Instructions: 253COMMON

Download Yara Rule

Strings

runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b, xrefs: 6D0C2F31
CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet, xrefs: 6D0C2E7B, 6D0C2ED6
,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12, xrefs: 6D0C2D29
runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 6D0C2D95
VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec, xrefs: 6D0C2DC9
%, xrefs: 6D0C2F3A
runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr, xrefs: 6D0C2DEC
NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor, xrefs: 6D0C2E20
runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi, xrefs: 6D0C2EFD
bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi, xrefs: 6D0C2D6E
runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte, xrefs: 6D0C2E47, 6D0C2EA2

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: %$,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet$NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte$runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
API String ID: 0-2809656213
Opcode ID: aed1290d5cd95fb67e03ea63ef3837a3386a66f350d0c6d2e297ddf410e9ea20
Instruction ID: c9955fbfbd963404ce03a9da9f768c752ed440d59577a1f99e431bc0f8ced688
Opcode Fuzzy Hash: aed1290d5cd95fb67e03ea63ef3837a3386a66f350d0c6d2e297ddf410e9ea20
Instruction Fuzzy Hash: 61C1CFB45083018FE710EF68C19476EBBF4AF89708F42896CE99887350D7B59989DF93

Function 6D0913E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6D0913F0
LoadLibraryA.KERNEL32 ref: 6D091406
GetProcAddress.KERNEL32 ref: 6D091425
GetProcAddress.KERNEL32 ref: 6D091437

Strings

__register_frame_info, xrefs: 6D09141A
__deregister_frame_info, xrefs: 6D09142C
libgcc_s_dw2-1.dll, xrefs: 6D0913E9, 6D0913FF

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: a7a62d8de81c60550c94b2ebf41b97aa636d2c1242ebccec74b838b050a155d0
Instruction ID: 10cee5d43e0f013f6d7b29f67d2365c8430de8cebf30b48b875902505c44c3c5
Opcode Fuzzy Hash: a7a62d8de81c60550c94b2ebf41b97aa636d2c1242ebccec74b838b050a155d0
Instruction Fuzzy Hash: 390121B1A093109FD700BFB8E64935EBEF8BB8A255F02552DD9849B208D7718804DBA3

Function 6D0F344F Relevance: 12.0, Strings: 9, Instructions: 757COMMON

Download Yara Rule

Strings

mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential, xrefs: 6D0F3E67
!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 6D0F381F
4, xrefs: 6D0F3E2E
malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo, xrefs: 6D0F3E51
mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 6D0F3E25
malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty, xrefs: 6D0F3E3B
p, xrefs: 6D0F3E7E
3-, xrefs: 6D0F3E78
2, xrefs: 6D0F3E70

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$2$4$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo$malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $3-$p
API String ID: 0-234616912
Opcode ID: b1fe1fa45d4e3dfff86e52ac2a4c51baff3cd173d0a66052ec800c2e7409f481
Instruction ID: 7e965f8e7cc0ee24847762114e0896f9618eff3d39f17fdff80959b371bcb861
Opcode Fuzzy Hash: b1fe1fa45d4e3dfff86e52ac2a4c51baff3cd173d0a66052ec800c2e7409f481
Instruction Fuzzy Hash: F262AD756083418FE714CF29C09072ABBF1BF89724F25896DE9948B392D775E846CF82

Function 6D10D010 Relevance: 10.8, Strings: 8, Instructions: 756COMMON

Download Yara Rule

Strings

!, xrefs: 6D10D20C
invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa, xrefs: 6D10D783
pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps, xrefs: 6D10D8A5
y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KS, xrefs: 6D10D2E5
invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p, xrefs: 6D10D095, 6D10D188, 6D10D258, 6D10D814, 6D10D936, 6D10D9C7, 6D10DA58, 6D10DAED
v, xrefs: 6D10D145
n, xrefs: 6D10D2D1
$, xrefs: 6D10D78D

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: !$$$invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa$invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p$n$pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps$v$y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KS
API String ID: 0-3686076665
Opcode ID: c12cdb8e74d0dfc6a433a9bebc375507c4ccce9ff435dc672d3cff8bd5b1c296
Instruction ID: 96d5857e4ecfc35076920d88b789a9c63fddb5acdd807552f16e0d5196b977e1
Opcode Fuzzy Hash: c12cdb8e74d0dfc6a433a9bebc375507c4ccce9ff435dc672d3cff8bd5b1c296
Instruction Fuzzy Hash: 437233B4A083458FD314EF29D18075AFBF1BBC9704F558A2EE99887341DBB4A944CF92

Function 6D112680 Relevance: 10.5, Strings: 7, Instructions: 1779COMMON

Download Yara Rule

Strings

%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutinecopystac, xrefs: 6D1140F9, 6D1143DB
0, xrefs: 6D113270
)]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+, xrefs: 6D113D04, 6D113FCF, 6D114113, 6D1143F5
0, xrefs: 6D113464
0, xrefs: 6D113387
0, xrefs: 6D1131D1
%!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWSleepyCardsbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernameg, xrefs: 6D113CEA, 6D113FB5

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: %!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutinecopystac$%!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWSleepyCardsbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernameg$)]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+$0$0$0$0
API String ID: 0-2334823967
Opcode ID: b9b7cddb6b7f9b652ceca678fc59284d988b0ade161cbd5c83d12a1353b24e53
Instruction ID: 7438d2db8c8027e2427348c76de2dc77758235729eb39e4cec10cf279f713776
Opcode Fuzzy Hash: b9b7cddb6b7f9b652ceca678fc59284d988b0ade161cbd5c83d12a1353b24e53
Instruction Fuzzy Hash: 6203F374A0D3828FC329CF18C49079EFBE1BBC9304F15892EE99997355D7B0A945CB92

Function 6D0E5FF0 Relevance: 10.5, Strings: 8, Instructions: 512COMMON

Download Yara Rule

Strings

(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID, xrefs: 6D0E6440
:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I, xrefs: 6D0E651D
non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard , xrefs: 6D0E67E5
pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace, xrefs: 6D0E66B3
, xrefs: 6D0E6151
sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us, xrefs: 6D0E6686
, xrefs: 6D0E6159
fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit, xrefs: 6D0E6659

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: $ $ fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit$ pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace$ sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us$(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID$:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I$non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard
API String ID: 0-3830612415
Opcode ID: 64fbc0d1360d6ee84a46f1feb43674fa94e73946f22631450bb0963e58f07365
Instruction ID: 8e444c3200d6fa234d97bebee058e5488ba6363a5168f4e335f6b6d7ffbcdea3
Opcode Fuzzy Hash: 64fbc0d1360d6ee84a46f1feb43674fa94e73946f22631450bb0963e58f07365
Instruction Fuzzy Hash: A432D17460C3818FE365DF65D1807AEBBE1AFC9344F858D2EEAC887351D730A8459B92

Function 6D0C1A70 Relevance: 8.9, Strings: 7, Instructions: 116COMMON

Download Yara Rule

Strings

&, xrefs: 6D0C1C3D
winmm.dll, xrefs: 6D0C1AF3
runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta, xrefs: 6D0C1BD9
runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co, xrefs: 6D0C1C34
timeEndPeriod, xrefs: 6D0C1B73
timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 6D0C1C0D
timeBeginPeriod, xrefs: 6D0C1B29

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: &$runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta$runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co$timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$timeBeginPeriod$timeEndPeriod$winmm.dll
API String ID: 0-424793872
Opcode ID: acdfabcd9a34eb6bbe29038aab496cdad66383ac82aeacfa57eb4ac023fe59ff
Instruction ID: 5fcb494fbde0390829223f1d10ac40fd204c59cbcc0a5325b050b7b1a91fc72c
Opcode Fuzzy Hash: acdfabcd9a34eb6bbe29038aab496cdad66383ac82aeacfa57eb4ac023fe59ff
Instruction Fuzzy Hash: 5751A4B46093019FEB04EF69E19476EBBF0BB89308F01881DE59887740DBB59489DF93

Function 6D0CCF90 Relevance: 8.6, Strings: 6, Instructions: 1093COMMON

Download Yara Rule

Strings

findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of r, xrefs: 6D0CE0D5
global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz, xrefs: 6D0CE093
!, xrefs: 6D0CE0DE
findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina, xrefs: 6D0CE0BF
findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi, xrefs: 6D0CE0EB
findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a, xrefs: 6D0CE0A9

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: !$findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz
API String ID: 0-3082151594
Opcode ID: 384c01c075c8d54092224b4270ba44d2394ebc368a5b5a3800d9e547a5c7c527
Instruction ID: bc20c61e4aaa15da97d2e0eef87d6c06e373daa048511d9ee786e3bb2a7ce042
Opcode Fuzzy Hash: 384c01c075c8d54092224b4270ba44d2394ebc368a5b5a3800d9e547a5c7c527
Instruction Fuzzy Hash: D6A2BBB464D3419FE724DF69D090B6EBBF0BB8A744F01882DE9D887380EB759844DB52

Function 6D0C11F0 Relevance: 7.6, Strings: 6, Instructions: 133COMMON

Download Yara Rule

Strings

runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe, xrefs: 6D0C13C4
runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy, xrefs: 6D0C139D, 6D0C13F8, 6D0C144B
5, xrefs: 6D0C1420
d, xrefs: 6D0C1276
runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar, xrefs: 6D0C1369
runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not , xrefs: 6D0C1417

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: 5$d$runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar$runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not $runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe$runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy
API String ID: 0-2414937731
Opcode ID: 3e7d2e1cbcfe4604333c744f741adaccb3299ca594203fe47c8b091cb85fab55
Instruction ID: cdcaee133acc8692ed85dc72c7bd79d15bbd2c1030176eb83ccb0ebe41a80c8e
Opcode Fuzzy Hash: 3e7d2e1cbcfe4604333c744f741adaccb3299ca594203fe47c8b091cb85fab55
Instruction Fuzzy Hash: ED51ACB450D3019FE740EF68C19476EBBF4AF89708F41882DE99887360D7759988DBA3

Function 6D125CF0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6D125CF4
FormatMessageA.KERNEL32 ref: 6D125D39
LocalFree.KERNEL32 ref: 6D125D6E

Strings

Erro: %s, xrefs: 6D125D53

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: Erro: %s
API String ID: 1365068426-2412703935
Opcode ID: 93c1e5caf33870a774d88ef029beeffbb8d4e75650951c47ebfce4a9646006a1
Instruction ID: 33f5abf10d2a3aa686367881b41f07b2781592cf67c160de90453d15f8f77cf3
Opcode Fuzzy Hash: 93c1e5caf33870a774d88ef029beeffbb8d4e75650951c47ebfce4a9646006a1
Instruction Fuzzy Hash: 53018CB04083019FE700AF64C19D71ABBF0BB88349F41891DE8989A258E7B98588CF93

Function 6D0B1440 Relevance: 5.5, Strings: 4, Instructions: 494COMMON

Download Yara Rule

Strings

min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce, xrefs: 6D0B1A0F
min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW, xrefs: 6D0B19C0
!, xrefs: 6D0B1A18
runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti, xrefs: 6D0B198C, 6D0B19DB

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: !$min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce$min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW$runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti
API String ID: 0-967014423
Opcode ID: d4e04e52e20989c49fc837f9a9d68bbfff1dd5f68783ac76849b1391837ca119
Instruction ID: c8aee8edf096e6512a584dedbabcc742a093706b5356af0a5ac1488713081294
Opcode Fuzzy Hash: d4e04e52e20989c49fc837f9a9d68bbfff1dd5f68783ac76849b1391837ca119
Instruction Fuzzy Hash: F9F1CF3264D3268FE715DE9884C071EB7E2FBC8348F55893CD9948B385EB72A845C6C2

Function 6D0CA320 Relevance: 5.4, Strings: 4, Instructions: 352COMMON

Download Yara Rule

Strings

stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a , xrefs: 6D0CA843
stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl, xrefs: 6D0CA690
stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met, xrefs: 6D0CA7EB
stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many, xrefs: 6D0CA7B0

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met$stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a $stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many$stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl
API String ID: 0-2039697367
Opcode ID: 21e13fd260bf149b8c48077b13bf1bfcb1bd855ef933670c61a48686ea1b95e3
Instruction ID: 9c1456d753c0f67fa73cb8211571bca408cf3b1171a8a0e009ac6a58d4d51162
Opcode Fuzzy Hash: 21e13fd260bf149b8c48077b13bf1bfcb1bd855ef933670c61a48686ea1b95e3
Instruction Fuzzy Hash: ACF1DF74A0D3418FE708CF69D190A6AFBF1BB89704F61892EE99887351DB70E945CF42

Function 6D127B10 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

., xrefs: 6D127E04
gfff, xrefs: 6D127C1C
gfff, xrefs: 6D127C33
@, xrefs: 6D127CC9

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: 1bea68cb9c5a7ac38e80fd794098c59119af2d09e253c04ebdf17acc6fad3473
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: 9FD1A471A083468BD704CE29C48036BB7E1BF95354F05C92EE8988B35DE7B2DD89C792

Function 6D124FE0 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

free.MSVCRT ref: 6D125002
free.MSVCRT ref: 6D125042
GetProcessHeap.KERNEL32(?,?,?,?,?,00000000,?,6D125590), ref: 6D12506B
HeapFree.KERNEL32 ref: 6D125080

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: Heapfree$FreeProcess
String ID:
API String ID: 3425746932-0
Opcode ID: 9818b2ebce2333a5a49be1b21f16e135bc26345105e372babf5276a6dc141ba8
Instruction ID: 7c5d9b3b9b5f2fd0794d34756075c5564f1e8ac543a581c196d0b216d0c1ee12
Opcode Fuzzy Hash: 9818b2ebce2333a5a49be1b21f16e135bc26345105e372babf5276a6dc141ba8
Instruction Fuzzy Hash: 8021E5B0A083018BEB009F64C4C8B2ABBF0BF94704F55C96CD8898B20DD776D885CB91

Function 6D0C1830 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

powrprof.dll, xrefs: 6D0C184D
', xrefs: 6D0C1889
', xrefs: 6D0C1891
PowerRegisterSuspendResumeNotification, xrefs: 6D0C187F

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: '$'$PowerRegisterSuspendResumeNotification$powrprof.dll
API String ID: 0-4026319467
Opcode ID: 31da5e9c6716520b06c0f9efecf5f0b3486f9039ee11217efd9eef0f7cb4ef59
Instruction ID: bca37b9b9eb1f1d898c36104cc95e011d0ffd269b51a4ef2785736943bfe4ab6
Opcode Fuzzy Hash: 31da5e9c6716520b06c0f9efecf5f0b3486f9039ee11217efd9eef0f7cb4ef59
Instruction Fuzzy Hash: CA21ADB45083429FE704CF25D094B5ABBF0BB89748F50891EE49987350E7B5AA89CF83

Function 6D0D6470 Relevance: 4.2, Strings: 3, Instructions: 451COMMON

Download Yara Rule

Strings

<, xrefs: 6D0D6A0D
runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern, xrefs: 6D0D6A04
runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add, xrefs: 6D0D69D7

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: <$runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add$runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern
API String ID: 0-450027851
Opcode ID: e29470bcce2e7ea9963e0dceebbddd70742b06dec5f101055e594084602a4ac5
Instruction ID: cd095e86ee966a25c594ea2afd4a270ac90846cd3361adc2ad75676f36fdbe6c
Opcode Fuzzy Hash: e29470bcce2e7ea9963e0dceebbddd70742b06dec5f101055e594084602a4ac5
Instruction Fuzzy Hash: EB025970A087098FE354DF69C19071ABBE1BFC8704F95892EE99987354EB71E845CF82

Function 6D0C6010 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

', xrefs: 6D0C64AC
suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support, xrefs: 6D0C64A3
invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro, xrefs: 6D0C648D

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: '$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support
API String ID: 0-3278438963
Opcode ID: 1dc937d6fa23f13bf8ffccf7a89f7129e93f5b682ecf4ea31acc15e1eaf91e77
Instruction ID: ee092e86a8749ed4debe544acea2f761ce75c0738b37ada9085d4a034fd87df6
Opcode Fuzzy Hash: 1dc937d6fa23f13bf8ffccf7a89f7129e93f5b682ecf4ea31acc15e1eaf91e77
Instruction Fuzzy Hash: 67D12F7460C3418BE715CF25C090A2EBBF2AF8A708F85886DE9C5973A1D735E945CB93

Function 6D0B6630 Relevance: 3.0, Strings: 2, Instructions: 499COMMON

Download Yara Rule

Strings

grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 6D0B6D4E
+, xrefs: 6D0B6D57

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: +$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
API String ID: 0-3347251187
Opcode ID: 2cf8704e832e3a06bdde9528adb0169a6d405c11f276d56a096fa8e4b0227e77
Instruction ID: ac6b99384bfa014922fc27163b79169e5563a667d982e2c89fc3f23a24ee0881
Opcode Fuzzy Hash: 2cf8704e832e3a06bdde9528adb0169a6d405c11f276d56a096fa8e4b0227e77
Instruction Fuzzy Hash: 6C22EE7460C3419FE314DF29C190B6ABBE1BF89744F51892DE9D98B350DB76E8448B82

Function 6D0BB2D0 Relevance: 2.8, Strings: 2, Instructions: 264COMMON

Download Yara Rule

Strings

@, xrefs: 6D0BB4FB
bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D0BB60F

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: @$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
API String ID: 0-1191861649
Opcode ID: 58d437a6803647a92b529681dffe10e872c46b4d9b9d9326c57e8cbec7f42ac0
Instruction ID: 5b6d9e800459527df94b5a47cb1357f7bff661b28254f3b79c0181bcc076739c
Opcode Fuzzy Hash: 58d437a6803647a92b529681dffe10e872c46b4d9b9d9326c57e8cbec7f42ac0
Instruction Fuzzy Hash: 1BA1B175A0870A8FD304CF18C8C065AB7E1FFC8318F558A2DE9959B351DB35E95ACB82

Function 6D0FA992 Relevance: 2.6, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 6D0FA9BD
, xrefs: 6D0FA9B8

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 28c0b169336063d9fea398cdf799eeb8efe7166cecce6eb2470f94cb94f15c96
Instruction ID: 9895f51040c60abd55502ca30e370794ac17e1d9d94ab0fbb38da508fdd56dc7
Opcode Fuzzy Hash: 28c0b169336063d9fea398cdf799eeb8efe7166cecce6eb2470f94cb94f15c96
Instruction Fuzzy Hash: 4451A220C1CF9B65E6330ABDC5027663B606EB3140B01D76FFDD6B54B2E7536944BA22

Function 6D0ACEC0 Relevance: 2.6, Strings: 2, Instructions: 88COMMON

Download Yara Rule

Strings

,, xrefs: 6D0ACFAA
gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu, xrefs: 6D0ACFA1

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu
API String ID: 0-27675022
Opcode ID: 0fc05aeeeb709222ae009952531c3811c681e729369d64e340db73a13a04a9b7
Instruction ID: 830e86476089ae1e79aad3ef300a761adc21df18bec84755e33b7fbbeb6b5415
Opcode Fuzzy Hash: 0fc05aeeeb709222ae009952531c3811c681e729369d64e340db73a13a04a9b7
Instruction Fuzzy Hash: CD31CE75A093968FD305DF14D490B69B7F2BB86608F4981BDDC884F383CB31A84ACB85

Function 6D115AF0 Relevance: 1.9, Strings: 1, Instructions: 607COMMON

Download Yara Rule

Strings

,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePoint, xrefs: 6D115C8E

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: ,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePoint
API String ID: 0-1364986362
Opcode ID: 7a62e25d4adc84973bb51b64aea8a9abd825deb6ec7b2940e47f5dec90da8fd7
Instruction ID: ba7a13dc81bc6aee7382a8b02fe9047fd87f95f1b04b1ba35e122937e5037304
Opcode Fuzzy Hash: 7a62e25d4adc84973bb51b64aea8a9abd825deb6ec7b2940e47f5dec90da8fd7
Instruction Fuzzy Hash: 3E5217B190C3858FD334CF19C5903DEBBE1ABD5304F45892DDAD897391E7B5A9448B82

Function 6D0E8690 Relevance: 1.8, Strings: 1, Instructions: 543COMMON

Download Yara Rule

Strings

4, xrefs: 6D0E89FB

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: fab3b57f347e7a06c6e8badeb58ad8b51067727217116a5bf8d5345e1acfdfb9
Instruction ID: 32806b107175ea91a65d091a944893c74ea1843ecf589753886f357084613a91
Opcode Fuzzy Hash: fab3b57f347e7a06c6e8badeb58ad8b51067727217116a5bf8d5345e1acfdfb9
Instruction Fuzzy Hash: 0F22CC7460D3468FE334DE58C4C476EB7E1AFCA344F548A2DD9998B391DB70A805CB82

Function 6D0A0AF0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor, xrefs: 6D0A0D52

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor
API String ID: 0-1712010102
Opcode ID: b2c8b00bba3ec7fdbe93239b6937a3176639cced772e6046a0f11fc3748e8bc4
Instruction ID: b22a1e7e482df4eac175e353723ab7ff98613bd7849a9c85c83f4f882f63bfcc
Opcode Fuzzy Hash: b2c8b00bba3ec7fdbe93239b6937a3176639cced772e6046a0f11fc3748e8bc4
Instruction Fuzzy Hash: 4DD154B460C34A9FE704DF69C08066EBBE0BF89748F45892EE8D987342E735D945CB42

Function 6D0BD040 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin, xrefs: 6D0BD3CB

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin
API String ID: 0-429552053
Opcode ID: 9c70621e346953eb57b3b18843dd4c0b3e46fc01d11693fc14c7b056e6969635
Instruction ID: b7dc100cd44e1fb99e6fc9271fa7b43486768c250d88cbefea4bbe7b7fb2618f
Opcode Fuzzy Hash: 9c70621e346953eb57b3b18843dd4c0b3e46fc01d11693fc14c7b056e6969635
Instruction Fuzzy Hash: 29B1EF78A0D3469FD704DF68C080A2AFBF1BBC9744F52982DE99687310E771E845CB92

Function 6D1196C0 Relevance: 1.5, Strings: 1, Instructions: 278COMMON

Download Yara Rule

Strings

;, xrefs: 6D1199AA

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: 46290f54545af768be44785e033e11cb9a08dd87f0bf752820f652f96a1f281b
Instruction ID: 5c3542ec54872ccb60c213cda1cd38ef98c62d51bca01c2d2e72ddb18b85760b
Opcode Fuzzy Hash: 46290f54545af768be44785e033e11cb9a08dd87f0bf752820f652f96a1f281b
Instruction Fuzzy Hash: 27A19371B083054FD70CDE5DD99131AFAE2ABC8304F05CA3DE599CB7A8E674D9098B86

Function 6D0BA360 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

@, xrefs: 6D0BA588

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: e4fbb487f9c49781586d11bc74d9c51c7a4bd9f14e4a4e5484a081d11418f410
Instruction ID: 6b2137f8e8918118263b3eb099e8d86559b85db9ebd55c4db6e792d4131ae3b6
Opcode Fuzzy Hash: e4fbb487f9c49781586d11bc74d9c51c7a4bd9f14e4a4e5484a081d11418f410
Instruction Fuzzy Hash: 9D910EB5A0D3059FD344CF28C080A5ABBE1FF88744F91992EE99987341E775E985CF82

Function 6D10E860 Relevance: .9, Instructions: 941COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab19f82ca6d87b46d8601c03f73dbf118d9ff1f20fa77173b925bd0ec46d5c8b
Instruction ID: 487cba85fd232105b53378db3763169e8ce2a4bcc6e91b68f666714673292418
Opcode Fuzzy Hash: ab19f82ca6d87b46d8601c03f73dbf118d9ff1f20fa77173b925bd0ec46d5c8b
Instruction Fuzzy Hash: 58824F75A083458BC738DE09C59079AF7E2BBDD300F56892ED599D3354EBB0AE05CB82

Function 6D116D40 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de4bd759018d9bedcb0b21ba6c66e24a5bd92395e5890dc29a9a09b5f665e8a0
Instruction ID: b9db28e0c7e78022737bdd8a79e387fcac0a4ba82c72babb3a249b53b1401eb9
Opcode Fuzzy Hash: de4bd759018d9bedcb0b21ba6c66e24a5bd92395e5890dc29a9a09b5f665e8a0
Instruction Fuzzy Hash: 95226071A1C34ACFD724CE65C89036FB7E2BB95304F55883DE98587345EBB1A909CB82

Function 6D114E40 Relevance: .5, Instructions: 530COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebdc2fe8315ec4e024cc0cfe2c286bb43791fddbbc2d5b09573738e12148e93a
Instruction ID: 96bbcf0f3ba764431cf8549b0f30d92352f4d14a1357ec040366f2c81e225c50
Opcode Fuzzy Hash: ebdc2fe8315ec4e024cc0cfe2c286bb43791fddbbc2d5b09573738e12148e93a
Instruction Fuzzy Hash: 11128872A087098FD324DE5DCD8124AF7E6BBC4704F55CA3DD9588B359EBB0E9058B82

Function 6D0BC080 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f95905949820edeec9d3ee25cd1304233b97ffe132cb3a7d1375959b4c6dd846
Instruction ID: 468a37c7807742c7ef8d02e361ba3eab36edf559997bc08b56b8e0fdcfa50351
Opcode Fuzzy Hash: f95905949820edeec9d3ee25cd1304233b97ffe132cb3a7d1375959b4c6dd846
Instruction Fuzzy Hash: E3E11532B5D71A4BE315DDBD88C035EB2D2ABC8344F49863CDD649B380FA76990A86C5

Function 6D0EBD40 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c921b0bc75f59bbce33cfd34b81bbd5c85344561f82a6a95d12423c05b14a5
Instruction ID: cc5187d88be723fffa9328637152c3d12a854045550126ac3e4daf5a3b105bbc
Opcode Fuzzy Hash: 34c921b0bc75f59bbce33cfd34b81bbd5c85344561f82a6a95d12423c05b14a5
Instruction Fuzzy Hash: 78027F756083468FE324CE68C4C066EFBE1BFC9348F55892DE9998B341D731E845CB96

Function 6D0BBB10 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba39a2d94e0e9a9e7858d58ceac45df22bde3fe14062c1699f37e57b8373149f
Instruction ID: 1ed7bf899d2abca33535d11657199f198a5b75dff6d42ab00befa8f11fdf6375
Opcode Fuzzy Hash: ba39a2d94e0e9a9e7858d58ceac45df22bde3fe14062c1699f37e57b8373149f
Instruction Fuzzy Hash: 6BE1D433E2872507E3149E58CC80249B2D2ABC8670F4EC73DED959B781E9B5ED5987C2

Function 6D116860 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c36d6a8fcaf3a77a4fdf43d68845abcd40b3320fe6f4a3cfc1280a56ac6eb3
Instruction ID: f895a06fe023d423c6c913dfeaa40bbd6204d48acb003b47bb0f5a0ace991d9d
Opcode Fuzzy Hash: 26c36d6a8fcaf3a77a4fdf43d68845abcd40b3320fe6f4a3cfc1280a56ac6eb3
Instruction Fuzzy Hash: 66E1A272A0C3698BC705CF25889031EFBE2BBD5704F45897DE8958B245E7B29909CBC6

Function 6D0A80A0 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583567786b4e6800410b4258a9f6d325d9bc64553ba0d4724e678071da7a1fe1
Instruction ID: be5b1b4d270206e5a979d9ced56bb542d97a87425111556a6c307474c777ebe5
Opcode Fuzzy Hash: 583567786b4e6800410b4258a9f6d325d9bc64553ba0d4724e678071da7a1fe1
Instruction Fuzzy Hash: C2C1E332B483264FD709DE6CC89071EB7E2ABC8304F59863DE9559B3A5E774EC068781

Function 6D0ED800 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01102f6ca95c295bb9f788ccf8f614b58e4d77107ed3cdde2843e7f33485d433
Instruction ID: 4162ecf41c0285e915bc2a5874613f1a9c535a0641052e5b00973dbd8f4b57f7
Opcode Fuzzy Hash: 01102f6ca95c295bb9f788ccf8f614b58e4d77107ed3cdde2843e7f33485d433
Instruction Fuzzy Hash: 1DE1A03150C3568FD315DF29C4C0A2AFBE1EFCA244F15896EE9958B392D730E905DBA2

Function 6D0CE240 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae5226584c0f830d2fc306fc8b2edd10a2ea9cf00361825fc45a828d33b7197d
Instruction ID: 6c5a8d645a32dbb6462df6db87577c9b9e9b23811aa47e311a888d755badd30c
Opcode Fuzzy Hash: ae5226584c0f830d2fc306fc8b2edd10a2ea9cf00361825fc45a828d33b7197d
Instruction Fuzzy Hash: 4AF1BE7460D3918FD365CF29C090B5EBBE2BBC9204F54892EE9D887351EB71A845CB53

Function 6D122F90 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13041c5e5001cd59dc11fc8d1f630024580fdabbc3202fb2794c9f2e86fd9a86
Instruction ID: 13bc23174e46587c8d5f324ae12cc92bb282578afa3c4588c8931a395fefb61a
Opcode Fuzzy Hash: 13041c5e5001cd59dc11fc8d1f630024580fdabbc3202fb2794c9f2e86fd9a86
Instruction Fuzzy Hash: 74C1627060432A4FC251CE5EDCC0A6A73D1AB8821DF91866D9644CF7C3DA3AF46B97E4

Function 6D123350 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16c99145df3cd9448de078b0548ea786860be560809d1fd0af4e8d931e89e95c
Instruction ID: 3bb491f7d94bd67f7d68a517213a02e83104aba5d33e9e88852904d5cd74ac9d
Opcode Fuzzy Hash: 16c99145df3cd9448de078b0548ea786860be560809d1fd0af4e8d931e89e95c
Instruction Fuzzy Hash: 10C1527060432A4FC251CE5EDCC0A6A73D1AB4821DF91866D9644CF7C3DA3AF46B97A4

Function 6D0BC6D0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28ea84094a5811db662dec80700ffbfd72b975c2551d231003a76ac088956676
Instruction ID: 7591b923ba66610c8e59d064a1047a8a88396db489b8e3c0d14fa43ec080b22d
Opcode Fuzzy Hash: 28ea84094a5811db662dec80700ffbfd72b975c2551d231003a76ac088956676
Instruction Fuzzy Hash: F291463264C7164FE319CEADC4D061EB3E2FBC8348F55873CD9694B380EB76A9098685

Function 6D0BCA30 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 965e0edb81f405fe7eb9d983c44d0d0a8674fed9c13d850ff1cfad21d2660f68
Instruction ID: bcf57e147eb06e0681e9548e18fc74f78780018c27aad99b976a06e281c3bb31
Opcode Fuzzy Hash: 965e0edb81f405fe7eb9d983c44d0d0a8674fed9c13d850ff1cfad21d2660f68
Instruction Fuzzy Hash: 3D814737A4C72A4FE312CDA888D075D32D2ABC8318F59463CDD748B3C5EBB6A80586C5

Function 6D0BAD50 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6683fe743c04af60dd630f28e76e009f2850abfaac095e1739a28ee3271d8ee3
Instruction ID: 4b96432bf95e62d563cec97fe10667f7f3090fb9247ae2736130cb1e898b882a
Opcode Fuzzy Hash: 6683fe743c04af60dd630f28e76e009f2850abfaac095e1739a28ee3271d8ee3
Instruction Fuzzy Hash: 0E91C676A187184BD304DE59CCC0659B3D2BBC8324F49C63CECA89B345E675EE49CB82

Function 6D0932A0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5598305615de8944a7ad53e3e6344f188005c9dc0635cb8c1f0adb198492c38
Instruction ID: f746a725f7223b9a27287e71ca0f2fc2871c38d7ea33cf69ba720e08a46ebbed
Opcode Fuzzy Hash: c5598305615de8944a7ad53e3e6344f188005c9dc0635cb8c1f0adb198492c38
Instruction Fuzzy Hash: DC81D6B2A183108FC314DF19D88095AF7E2BFC9758F46892DF988D7311E771E9158B86

Function 6D0B9030 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a672fa4666f95a5b9ce75f7ecf03663e43826c66368779d91bd4aedbd507b3
Instruction ID: 40862725fa767dd467b6e52e4d259b2da9c408d33dbbe0bc65047f369502ae9c
Opcode Fuzzy Hash: b9a672fa4666f95a5b9ce75f7ecf03663e43826c66368779d91bd4aedbd507b3
Instruction Fuzzy Hash: 2991A9B8A0D3419FC308CF28C090A1ABBE0FF89748F519A6EE99997351D731E945CF46

Function 6D092CA6 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74e3cdcd30a4e377c87d22d140c510c8f9e31ee98ac193ba90d7c9e73e1ccf2
Instruction ID: 5e0ce31e371c3dc6d0a15bfacbdb05b3a7a7325d46e1d8a08d269fb91b36d32b
Opcode Fuzzy Hash: a74e3cdcd30a4e377c87d22d140c510c8f9e31ee98ac193ba90d7c9e73e1ccf2
Instruction Fuzzy Hash: 3651667090C3A44AE3158F6F48D412EFFE16FC6301F884A6EF5E443392D5B89515DB6A

Function 6D092CA0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ce7b6036805578b6991b028fb468c3a93c7cdad0ff80843793c936bf34bf2a
Instruction ID: 8b2b9c72097f5abe2e7412962f31b47347dcbea9df98ef54d6241b445118c22d
Opcode Fuzzy Hash: 64ce7b6036805578b6991b028fb468c3a93c7cdad0ff80843793c936bf34bf2a
Instruction Fuzzy Hash: 1451567090C3A44AE3158F6F48D412AFFF1AFCA301F884A6EF5E443392D5B89515DB6A

Function 6D0BD9C5 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e9464670720d5cec7526170a97f241d3b547c0ee32cac8b16ea87d274058f23
Instruction ID: 13443566d20afebcf7f558c713cb3c515e555504103dc96b0771c299d1e44281
Opcode Fuzzy Hash: 7e9464670720d5cec7526170a97f241d3b547c0ee32cac8b16ea87d274058f23
Instruction Fuzzy Hash: 4F5138B56093128FD318DF69C590B1AFBE0BB88604F05857CED599B392D731E846CBD2

Function 6D09BE90 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dba37b4972703f4739d467c4656cacdebc54675d7b98e01084d2c320e1d1333
Instruction ID: a7544d988bdc32732cc20f0226cc2f9696fba4a8ae2b467710201d59dc2b7224
Opcode Fuzzy Hash: 1dba37b4972703f4739d467c4656cacdebc54675d7b98e01084d2c320e1d1333
Instruction Fuzzy Hash: B241D570918F058FD346DE39C49031AB7E5BFCA384F54872DE94A6B352EB719882DB42

Function 6D09FBC0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44a0ba2c71ca78464b99a01e6cfa7b0ae73f3339fee209901e82cdce1d36072
Instruction ID: dbae596c9463201ef97d4621c0660d85bf29f3abcc4d49eddf52deb0ec2a0606
Opcode Fuzzy Hash: d44a0ba2c71ca78464b99a01e6cfa7b0ae73f3339fee209901e82cdce1d36072
Instruction Fuzzy Hash: 513161B381971D8BD300AF498C40249F7E6AFC0B20F5E8A5ED9A417301DBB0AA15DBC7

Function 6D0990F0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70cdc72330989ad26bbd1340e7e1c0023d235a9c394c49b3d8970e4908e7eb7
Instruction ID: e608767248543574acd512b9136e3577b1e31c8eb0ffdb12d51a15e510c36d33
Opcode Fuzzy Hash: c70cdc72330989ad26bbd1340e7e1c0023d235a9c394c49b3d8970e4908e7eb7
Instruction Fuzzy Hash: C121C2317042128FEB08CE39E8E032AB7F3BBCA710B59956CD555CB6A4DA74A809C746

Function 6D0C1C90 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9eb18f8659ae61d3002e51e556e238b179dc98e7ca26403c853313e46c1f0c
Instruction ID: 9e02c18b1d42112021bca0000d406f39ae227f85dc13955064a7259a80819a8f
Opcode Fuzzy Hash: 5c9eb18f8659ae61d3002e51e556e238b179dc98e7ca26403c853313e46c1f0c
Instruction Fuzzy Hash: 72112B746083418FE705CF24D0A0769B7F1AB8A308F55485CE9994B391D7769859CB43

Function 6D0F73A0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 799b950aafab46995c3184c5c2b6a7d2aa658c3b306eef246b812ae6a4d0cebf
Instruction ID: d1988ad7a5db4db12248e876f95502df2590b4a1ea7001fbcf0a30669530ab9f
Opcode Fuzzy Hash: 799b950aafab46995c3184c5c2b6a7d2aa658c3b306eef246b812ae6a4d0cebf
Instruction Fuzzy Hash: BA11EDB4600B118FD398DF59C0D4E65B3E1FB8C200B4A81BDDB0E8B766C670A855DB85

Function 6D0FC1E0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62e9b40b8889283369c733b4b486c010c6db68c8fd548765d833781fa73bc97
Instruction ID: 0bc26c6664960f52180617576eb815a8b66e3a5b49fb24c006be91fbd9a3d53d
Opcode Fuzzy Hash: e62e9b40b8889283369c733b4b486c010c6db68c8fd548765d833781fa73bc97
Instruction Fuzzy Hash: AFC04CB081E3529DF751CB1C918135ABEE5AB87340F94C49DA54883144C37596A1A619

Function 6D12B7C0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 6D12B7EF
vfprintf.MSVCRT ref: 6D12B80F
abort.MSVCRT ref: 6D12B814
VirtualQuery.KERNEL32 ref: 6D12B8AB

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 6D12B957
Mingw-w64 runtime failure:, xrefs: 6D12B7E8
Address %p has no image-section, xrefs: 6D12B96B
VirtualProtect failed with code 0x%x, xrefs: 6D12B926

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: a6abef6a8b6bfa60f45143dafad1712c300c460fada4cfb2576381f1f8c43d18
Instruction ID: eb5936229b3819d2f67253dd5a012c94e9babdfce004f609be842f61c83e5f52
Opcode Fuzzy Hash: a6abef6a8b6bfa60f45143dafad1712c300c460fada4cfb2576381f1f8c43d18
Instruction Fuzzy Hash: 05517CB19083059FCB00DF28C58975AFBF1FF84318F45891DE9889B248D776E884CB92

Function 6D124C10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 162stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6D124C4A
malloc.MSVCRT ref: 6D124C6D
mbstowcs.MSVCRT ref: 6D124C9B
_wcsnicmp.MSVCRT ref: 6D124CF4
strtol.MSVCRT ref: 6D124D62
lstrlenA.KERNEL32 ref: 6D124D70
free.MSVCRT ref: 6D124E11
SetLastError.KERNEL32 ref: 6D124E56

Strings

#, xrefs: 6D124C3A

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
String ID: #
API String ID: 533997002-1885708031
Opcode ID: 653bfa6757344b04779a1cbede6b40e4da135fbc133987db4e13f3687f2bb836
Instruction ID: 30bb9c05c20e561587382e490f4b0b2eb180a4f23fca968217fc3b9604e525cc
Opcode Fuzzy Hash: 653bfa6757344b04779a1cbede6b40e4da135fbc133987db4e13f3687f2bb836
Instruction Fuzzy Hash: E3519C71A083198FD310DF29D08065AB7E5FFEC314F41892EE998D7204E7B6E985CB92

Function 6D126058 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6D126080
EnterCriticalSection.KERNEL32 ref: 6D12609F
LeaveCriticalSection.KERNEL32 ref: 6D1260B9
SetEvent.KERNEL32 ref: 6D1260CA
abort.MSVCRT ref: 6D1260F8
EnterCriticalSection.KERNEL32 ref: 6D12610A
LeaveCriticalSection.KERNEL32 ref: 6D126123

Strings

unexpected cgo_bindm on Windows, xrefs: 6D126070
runtime: failed to signal runtime initialization complete., xrefs: 6D1260E8

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeaveabort$Event
String ID: runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
API String ID: 123483900-760755518
Opcode ID: f3b388ceb493c56899f599b315d8249b54657dcc969db56f70be8e9cb4b7fa7b
Instruction ID: d1bafbc65bc62a67d0bb34298407b5921f1f6ee0d5e00d0e1d97c2d5a067d674
Opcode Fuzzy Hash: f3b388ceb493c56899f599b315d8249b54657dcc969db56f70be8e9cb4b7fa7b
Instruction Fuzzy Hash: 0B11BCB18086148FDB01BFB8914E36EBBB4BB42308F82095CD98597609EB75A499CB57

Function 6D125156 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32 ref: 6D1251AD
GetProcessHeap.KERNEL32 ref: 6D12520A
HeapAlloc.KERNEL32 ref: 6D125223
memcpy.MSVCRT ref: 6D1252E1
memset.MSVCRT ref: 6D12537C
IsBadReadPtr.KERNEL32 ref: 6D1253EF
realloc.MSVCRT ref: 6D125440

Strings

@, xrefs: 6D125210

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: Heap$AllocInfoNativeProcessReadSystemmemcpymemsetrealloc
String ID: @
API String ID: 3801555102-2766056989
Opcode ID: d4b4892e3e5a5bf1ad6002d2e93d5ce561a3bac04f2790462a68e2a30d3e57a0
Instruction ID: bb3307a6ded4e80f94bf12d90e3ccef7aaa39576710540d0dc5aca037176e68e
Opcode Fuzzy Hash: d4b4892e3e5a5bf1ad6002d2e93d5ce561a3bac04f2790462a68e2a30d3e57a0
Instruction Fuzzy Hash: 4CA1D0B0A087029FD710CF29C58476AFBE0BF88314F45892DE89997304E7B5E995CF82

Function 6D1268E0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6D1269B1

Strings

0, xrefs: 6D126E2E
o, xrefs: 6D126D98

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: ebefbe6945bd7e9b28a0da70524577bbcc1c22ea509cf173d45d016b6e072430
Instruction ID: 7fe9782eb800270bad326c8aac3c0cd3b96440e272506be1860e32cb0775e942
Opcode Fuzzy Hash: ebefbe6945bd7e9b28a0da70524577bbcc1c22ea509cf173d45d016b6e072430
Instruction Fuzzy Hash: 22F16071A0824D8FCB05CF68C48079DBBF2BF89360F15C229D994AB399D775E985CB90

Function 6D128050 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 6D128068

Strings

Inf, xrefs: 6D128B25, 6D128B3D
@, xrefs: 6D128337
NaN, xrefs: 6D128A2B

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 20a74dc6001b2d351fde91c993480563cf70f1b28de554b52a1690da559eb187
Instruction ID: cf5f11ca25e1d4a13c13eebbc9b94c3d2176e2c81c097ad4de4f9a7fc4804655
Opcode Fuzzy Hash: 20a74dc6001b2d351fde91c993480563cf70f1b28de554b52a1690da559eb187
Instruction Fuzzy Hash: 71F1E47160C3828BD7218F24C49079BBBE1BFC5314F158A2DD9DC97389D7B69986CB82

Function 6D126E50 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

0, xrefs: 6D1271B6
@, xrefs: 6D12711A

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: db53b3412e21b14b64fd966cdfaba44a868fe3b057c10bed8708d4ee68713ec0
Instruction ID: 1f485f4e391e8dfeeb97d55023c128a7a84c13c592fc87de707e3cd3e066beef
Opcode Fuzzy Hash: db53b3412e21b14b64fd966cdfaba44a868fe3b057c10bed8708d4ee68713ec0
Instruction Fuzzy Hash: E9C17171E0421A8FDB05CF68C48079EBBF1BF99314F15825ADC54AB389D3B6E885CB94

Function 6D12CD90 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6D12CD9C
GetProcAddress.KERNEL32 ref: 6D12CDBC
GetProcAddress.KERNEL32 ref: 6D12CDFB

Strings

__lc_codepage, xrefs: 6D12CDF0
___lc_codepage_func, xrefs: 6D12CDB4
msvcrt.dll, xrefs: 6D12CD95

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: b793a20fc13de4808c2c95d65af2bb2a9fef36d86ead19fe30b689a995d77004
Instruction ID: a47eb9b1acd81847e49ceedd00c511d60516aec9e376d02a94c3b93d69ad311f
Opcode Fuzzy Hash: b793a20fc13de4808c2c95d65af2bb2a9fef36d86ead19fe30b689a995d77004
Instruction Fuzzy Hash: 35F049B19852098BDB40BF3D594935ABEF4BB15210B41453EE989DB208E7B2D490CBE3

Function 6D091020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6D091281,?,?,?,?,?,?,6D0913AE), ref: 6D091057
_amsg_exit.MSVCRT ref: 6D091086

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 68b1e46db9a09d48c65e488adb47a4075adb5b64f87cab3c4cc277e521772e42
Instruction ID: cca9ca0bc23db77902f314e14f85a4589bb17035f61c40ea666e15b2e929ed4e
Opcode Fuzzy Hash: 68b1e46db9a09d48c65e488adb47a4075adb5b64f87cab3c4cc277e521772e42
Instruction Fuzzy Hash: 35315B70B082428BEB02AF69C58872B77F9EBC6748F41852DD5448F644D7B6D881EBC3

Function 6D126C79 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6D126B87
fputc.MSVCRT ref: 6D126BF7
memset.MSVCRT ref: 6D126CB2

Strings

0, xrefs: 6D126CA7
o, xrefs: 6D126CBA

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 554f7f9faea69a16024aefb5dd32d29328ec9af7303e668e9847430315f7532b
Instruction ID: bc4b164e716f6c82d7d59bd9710e5afca554b3b2e12644b40a220cea179e9b40
Opcode Fuzzy Hash: 554f7f9faea69a16024aefb5dd32d29328ec9af7303e668e9847430315f7532b
Instruction Fuzzy Hash: 02316D71A083098FCB01CF68C5D479AB7F1BF48354F118529DA95AB389E7B6E880CF90

Function 6D124E70 Relevance: 7.6, APIs: 5, Instructions: 106COMMON

Download Yara Rule

APIs

bsearch.MSVCRT ref: 6D124ECF
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6D125DAF), ref: 6D124F0F
malloc.MSVCRT ref: 6D124F44
qsort.MSVCRT ref: 6D124FB4

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: ErrorLastbsearchmallocqsort
String ID:
API String ID: 1451747280-0
Opcode ID: 61d57a99e1a71eb6b3d22c7f6cecef2cb37fd125c5512ece1f845ff2c9c3a6a3
Instruction ID: 2134e80477beec2d0eee8badb10d9a08f6ffc194181be39455144c76ce1e2543
Opcode Fuzzy Hash: 61d57a99e1a71eb6b3d22c7f6cecef2cb37fd125c5512ece1f845ff2c9c3a6a3
Instruction Fuzzy Hash: C3416C716183018FD310CF29D48462AB7F5BFD9314F46892DE8899B358D7B6E885CB82

Function 6D1259F0 Relevance: 7.6, APIs: 5, Instructions: 84threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 6D125AA0
SetLastError.KERNEL32 ref: 6D125ADF

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: ErrorLastLocaleThread
String ID:
API String ID: 1348403374-0
Opcode ID: b539952f101a75f6b5690ac0a2cb3bb101deeaae0df000b25f4e17b6a796b7c5
Instruction ID: c416d38d96b1b34b5cbd666bf7800dd3de0ac8e3fe48a76942804a54a1e3d0a0
Opcode Fuzzy Hash: b539952f101a75f6b5690ac0a2cb3bb101deeaae0df000b25f4e17b6a796b7c5
Instruction Fuzzy Hash: BC21D9716142018FE7009B39D8C9667B7F1BF95324F09C629D599C73C8EB72E894CB91

Function 6D12C7C0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6D12C7D9
_unlock.MSVCRT ref: 6D12C801
calloc.MSVCRT ref: 6D12C84F

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 01cfb712d85b6e4d619ce68922cd4ea2a4d205ce6739300ed457df455a6d115e
Instruction ID: 2208be232fbdcddfd4de721b571527249f6f29c75eeacf9421efcee4af9cf78d
Opcode Fuzzy Hash: 01cfb712d85b6e4d619ce68922cd4ea2a4d205ce6739300ed457df455a6d115e
Instruction Fuzzy Hash: 271160716082018FD740DF28C48075ABBE1FF89310F16C669DA98CF249EBB5C884CBA2

Function 6D125FC0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 6D125FF0
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D1246F9), ref: 6D125FFC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D1246F9), ref: 6D12600E
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D1246F9), ref: 6D12601E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D1246F9), ref: 6D126030

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ObjectSingleWait
String ID:
API String ID: 1755037574-0
Opcode ID: 3cf8d3a7be72c9dec8dae7252a0f475b29843d1c242eaca5f117aa3185ab9dee
Instruction ID: 7a249a0b4d66b77259949d2c169a2c700fb8d91352c43b9707fb7f65d95cc00c
Opcode Fuzzy Hash: 3cf8d3a7be72c9dec8dae7252a0f475b29843d1c242eaca5f117aa3185ab9dee
Instruction Fuzzy Hash: F8014071504709CFDB00BF7D95CA62BFBBCAB86218F01062DE99487648E770A498CB93

Function 6D1288EA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

@, xrefs: 6D128337
(null), xrefs: 6D128917

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: a7f97fb10b5aebdee99f5b22295e291c9b8d6cd3b139bc47fb1e9c480b72151c
Instruction ID: fa7ec6bc6bf9c80fa2dc061fbcaedcfbffed896c97e8e8e4b674b54507beb4f9
Opcode Fuzzy Hash: a7f97fb10b5aebdee99f5b22295e291c9b8d6cd3b139bc47fb1e9c480b72151c
Instruction Fuzzy Hash: 6FA1A47160C3968BD721CF24C4907ABBBE1BF85304F118A1DD9D897389D7B6D985CB82

Function 6D12B980 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

Unknown pseudo relocation bit size %d., xrefs: 6D12BAED
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6D12BAA0
Unknown pseudo relocation protocol version %d., xrefs: 6D12BC73

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 5ac9a57765888f3bb39d11d5df942cbdea910d5a28bc109d103c677ac158973a
Instruction ID: d94622653ab4e68e07d8a084f9622d2d5358b3f35682ffe0453b86ff8b394eab
Opcode Fuzzy Hash: 5ac9a57765888f3bb39d11d5df942cbdea910d5a28bc109d103c677ac158973a
Instruction Fuzzy Hash: 26718F71E186068FCB00CF69DA80B9EB7F1FF95304F158529D954AB24CD3B2A891CBD2

Function 6D126243 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6D12625F
abort.MSVCRT ref: 6D1262A2
free.MSVCRT ref: 6D1262C5

Part of subcall function 6D126170: _beginthread.MSVCRT ref: 6D126196
Part of subcall function 6D126170: _errno.MSVCRT ref: 6D1261A1
Part of subcall function 6D126170: _errno.MSVCRT ref: 6D1261A8
Part of subcall function 6D126170: abort.MSVCRT ref: 6D1261CD

Strings

runtime/cgo: out of memory in thread_start, xrefs: 6D126292

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: _errnoabort$_beginthreadfreemalloc
String ID: runtime/cgo: out of memory in thread_start
API String ID: 2078976911-3894583329
Opcode ID: 8cbb22305f053a83b39138e7bfd7f2a28449725fae467bd531b13b04d614a0fd
Instruction ID: 1404a1b5dbac1db0e44b9fe0489c30ae87c1e20965aaa990bcb8db1b269e42ce
Opcode Fuzzy Hash: 8cbb22305f053a83b39138e7bfd7f2a28449725fae467bd531b13b04d614a0fd
Instruction Fuzzy Hash: BB211DB59087448FC700EF68D58451AFBF5FF89304F46899DEA889B319D375E880CB92

Function 6D125E90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 6D125EB2
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D125F65), ref: 6D125ECB
abort.MSVCRT ref: 6D125EF5

Strings

runtime: failed to create runtime initialization wait event., xrefs: 6D125EE5

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: CreateCriticalEventInitializeSectionabort
String ID: runtime: failed to create runtime initialization wait event.
API String ID: 3843693739-3277801083
Opcode ID: b7adac9b97cab6ce378ef1825a76c22b9018c5478a3fd2c7e21c8e96adaaf75a
Instruction ID: 32cf320b931d9860a4fb76ed7d5cb7e122ead2a3d7f5be4cd81611105cb32904
Opcode Fuzzy Hash: b7adac9b97cab6ce378ef1825a76c22b9018c5478a3fd2c7e21c8e96adaaf75a
Instruction Fuzzy Hash: 35F01DB14087018FEB00BF78C15D36EBAF4BB41318F81885CD59586648EBB9C084CB53

Function 6D12C8F0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 6D12C942
MultiByteToWideChar.KERNEL32 ref: 6D12C985

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 9a73f6b7830528ac94cece8773e092ec2bc07413332e6c39bfdd4679e4c5c399
Instruction ID: bb7d5a70922e87aca826780cd94f52479573ad2d4cc314e94ce1ab498f77cdf1
Opcode Fuzzy Hash: 9a73f6b7830528ac94cece8773e092ec2bc07413332e6c39bfdd4679e4c5c399
Instruction Fuzzy Hash: EC31F7B15093428FDB00DF29D48475ABBF1BF96314F00891EE9D487258E3B6D988CB43

Function 6D128248 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

@, xrefs: 6D128337
u, xrefs: 6D128286

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: 03ca6ec13e362cefde609118bed27ff3eddb710d294e12a51d4754b51bdd54b5
Instruction ID: ea79a148484ad32611c4ed20ce1d17869ea6ba68a43f849e576e2fe4630de7bc
Opcode Fuzzy Hash: 03ca6ec13e362cefde609118bed27ff3eddb710d294e12a51d4754b51bdd54b5
Instruction Fuzzy Hash: FBA1937160C3928BD721CF24C4903ABBBF1BF85308F158A1DD9D857299D7B6D985CB82

Function 6D128911 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6D128AAE

Part of subcall function 6D126520: fputc.MSVCRT ref: 6D1265E8

Strings

@, xrefs: 6D128337
(null), xrefs: 6D128917

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: b9de63760a072585c5d6ba367ac287ae06c0bea925fd8181ba00582849597dc3
Instruction ID: c8bbcf382787066b9f0390e1dc77497fd9dcdb61922e59e325b248db6f27200a
Opcode Fuzzy Hash: b9de63760a072585c5d6ba367ac287ae06c0bea925fd8181ba00582849597dc3
Instruction Fuzzy Hash: 9C91937160C3968BD7218F24C4903ABBBF1BF85304F118A1DD9D897389D7B6D986CB82

Function 6D1266A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6D126721

Strings

NaN, xrefs: 6D1266A1

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: cf7614440ec6851ca82ea40031330610d20ebf86e678fa2553d9f1a1c36698a7
Instruction ID: af8f8f2efcccd7b523b77922b85f52fd8a94c14984435d341613793f27ba8921
Opcode Fuzzy Hash: cf7614440ec6851ca82ea40031330610d20ebf86e678fa2553d9f1a1c36698a7
Instruction Fuzzy Hash: AF4118B5A05219CBCB10CF18D484756B7E1BF95714B26C299DD488F38ED3B6D882CBD0

Function 6D126C36 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6D126B87
fputc.MSVCRT ref: 6D126BF7
memset.MSVCRT ref: 6D126CB2

Strings

o, xrefs: 6D126C4E

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: 5083fe0debd9753e9b233b695f135e5a28ad9768abfd24fc6a55f8e7a69b9823
Instruction ID: 877fe9e046541077cf646aceff594c6f25da98fce9c30cfb0255e6c65ae5ec19
Opcode Fuzzy Hash: 5083fe0debd9753e9b233b695f135e5a28ad9768abfd24fc6a55f8e7a69b9823
Instruction Fuzzy Hash: DE317071A08209CFC701CF68C59079AB7F1BF48350F158659D999AB389E7B6E980CBC0

Function 6D127114 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6D12707F
fputc.MSVCRT ref: 6D1270E1

Strings

@, xrefs: 6D12711A

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: ababd3f75690fbcba9bc1f60d79812ee9903b967bac2f6abc848a8bcbfc8c842
Instruction ID: d7255f86b1dfcdade91b63c6e6a2c8c50d60f86829018095557c74bdf10ec467
Opcode Fuzzy Hash: ababd3f75690fbcba9bc1f60d79812ee9903b967bac2f6abc848a8bcbfc8c842
Instruction Fuzzy Hash: AF110DB1D082018BCB01CFA8C1907567BB1BF96300F26865ADE995F24ED7B6E885CB59

Function 6D12A850 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,6D12A971,?,?,?,?,?,?,00000000,6D128C14), ref: 6D12A877
InitializeCriticalSection.KERNEL32(?,?,?,?,6D12A971,?,?,?,?,?,?,00000000,6D128C14), ref: 6D12A8B4
InitializeCriticalSection.KERNEL32(?,?,?,?,?,6D12A971,?,?,?,?,?,?,00000000,6D128C14), ref: 6D12A8C0
EnterCriticalSection.KERNEL32(?,?,?,?,6D12A971,?,?,?,?,?,?,00000000,6D128C14), ref: 6D12A8E8

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: 7b213b8cb6ae501d959c0c5977980788118c6f0f1801d1e4b33d540f7e0dbeb2
Instruction ID: 17a262c4f8c178f21b018eb6a6cf859d41a052af341187d6b7b3448650e97ea5
Opcode Fuzzy Hash: 7b213b8cb6ae501d959c0c5977980788118c6f0f1801d1e4b33d540f7e0dbeb2
Instruction Fuzzy Hash: E81161B190410A8FDF02AB28948AB6A77F4FF66358F010429C852C7208E773D8C5D7D3

Function 6D12BC80 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6D12BC8E
TlsGetValue.KERNEL32 ref: 6D12BCB5
GetLastError.KERNEL32 ref: 6D12BCBC
LeaveCriticalSection.KERNEL32 ref: 6D12BCDC

Memory Dump Source

Source File: 00000003.00000002.2212531983.000000006D091000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D090000, based on PE: true

Associated: 00000003.00000002.2212515659.000000006D090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212599577.000000006D12D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212619894.000000006D12E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212640649.000000006D12F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212661061.000000006D134000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212792942.000000006D1DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212816332.000000006D1E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212938204.000000006D1FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212957971.000000006D202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2212978463.000000006D203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2213008790.000000006D206000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d090000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 2cecce9039be08b333e797f253616daef78af369d3019284e4d72ef21af54a78
Instruction ID: 648da44f8daf49d19592b1c139fe631c825b14d2a997d03a20e4abc1477935ab
Opcode Fuzzy Hash: 2cecce9039be08b333e797f253616daef78af369d3019284e4d72ef21af54a78
Instruction Fuzzy Hash: ECF081B59002168FCB00BF78D589A5BBB74BF56318B01052CDD4587309EB31E894CBE3

Analysis Process: rundll32.exePID: 6496, Parent PID: 5500COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	14
Total number of Limit Nodes:	1

Executed Functions

Function 6D166170 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_beginthread.MSVCRT ref: 6D166196
_errno.MSVCRT ref: 6D1661A1
_errno.MSVCRT ref: 6D1661A8
abort.MSVCRT ref: 6D1661CD
Sleep.KERNEL32 ref: 6D1661E6

Strings

runtime: failed to create new OS thread (%d), xrefs: 6D1661B9

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: _errno$Sleep_beginthreadabort
String ID: runtime: failed to create new OS thread (%d)
API String ID: 3675047324-3231778263
Opcode ID: b4d6b54b2ed21a385bfeeba864446eb5fdf9002bd212b3f37c5e16bce05eacc1
Instruction ID: 884207954e5b8f95705a692fe1774288cc3b0547021670c9edbf0a8885091667
Opcode Fuzzy Hash: b4d6b54b2ed21a385bfeeba864446eb5fdf9002bd212b3f37c5e16bce05eacc1
Instruction Fuzzy Hash: 43017CB54083649FC700BF68D88862EBBF4FF85314F42485DE98943216C771A490DBA3

Function 6D1661F6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_beginthread.MSVCRT ref: 6D166196
_errno.MSVCRT ref: 6D1661A1
_errno.MSVCRT ref: 6D1661A8
abort.MSVCRT ref: 6D1661CD
Sleep.KERNEL32 ref: 6D1661E6

Strings

runtime: failed to create new OS thread (%d), xrefs: 6D1661B9

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: _errno$Sleep_beginthreadabort
String ID: runtime: failed to create new OS thread (%d)
API String ID: 3675047324-3231778263
Opcode ID: 4a5b6c8ca54d74d0df4f0f4e943cbf3e83b13e02837cd23482a2c135bf1df30f
Instruction ID: af687e677f320c1543c84f9c198ed3d2fe3fb6178c611011a67a28cb37e664e4
Opcode Fuzzy Hash: 4a5b6c8ca54d74d0df4f0f4e943cbf3e83b13e02837cd23482a2c135bf1df30f
Instruction Fuzzy Hash: BD0181B54083649FC700AF64C88875ABBF4FF86355F42484CE58843212C770A450CBA2

Function 6D13CFC0 Relevance: 1.5, APIs: 1, Instructions: 21
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE ref: 6D13CFE8

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction ID: 2e4f365649abfb779f7c8c0ba7e0cd91d305aa44d3558214610b25da9c58e564
Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction Fuzzy Hash: C3E0E571505610CFCB15DF28C2C171ABBE1EB48A00F0485A8DE098F74AD774ED10CBD2

Non-executed Functions

Function 6D16B7C0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 6D16B7EF
vfprintf.MSVCRT ref: 6D16B80F
abort.MSVCRT ref: 6D16B814
VirtualQuery.KERNEL32 ref: 6D16B8AB

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 6D16B957
Mingw-w64 runtime failure:, xrefs: 6D16B7E8
VirtualProtect failed with code 0x%x, xrefs: 6D16B926
Address %p has no image-section, xrefs: 6D16B96B

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 5a58bce057ced17e24957edee98d050f49b683750da538c1c891f71cd97a37ad
Instruction ID: d98de6657574f5259e006be59eb26a450e83f45a025ee6725074746e547b611c
Opcode Fuzzy Hash: 5a58bce057ced17e24957edee98d050f49b683750da538c1c891f71cd97a37ad
Instruction Fuzzy Hash: 17516EB19083459FCB00EF28C98865AFBF5FF84358F45C91DE9888B258D774D4A5CBA2

Function 6D164C10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 162stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6D164C4A
malloc.MSVCRT ref: 6D164C6D
mbstowcs.MSVCRT ref: 6D164C9B
_wcsnicmp.MSVCRT ref: 6D164CF4
strtol.MSVCRT ref: 6D164D62
lstrlenA.KERNEL32 ref: 6D164D70
free.MSVCRT ref: 6D164E11
SetLastError.KERNEL32 ref: 6D164E56

Strings

#, xrefs: 6D164C3A

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
String ID: #
API String ID: 533997002-1885708031
Opcode ID: 5f47c7f06fd7964f20bc687c82be474ac9878c29c9d5fd7710825a15485c0a76
Instruction ID: 1070b37b2faa09f1c51c42fa19ae6d56d1ae5e8a4f64b3ad74620477962c9a7b
Opcode Fuzzy Hash: 5f47c7f06fd7964f20bc687c82be474ac9878c29c9d5fd7710825a15485c0a76
Instruction Fuzzy Hash: 3451A971A0C3558FC710DF29D09069AB7E5FFD8304F01892EE998D3244E7B4E955CBA2

Function 6D166058 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6D166080
EnterCriticalSection.KERNEL32 ref: 6D16609F
LeaveCriticalSection.KERNEL32 ref: 6D1660B9
SetEvent.KERNEL32 ref: 6D1660CA
abort.MSVCRT ref: 6D1660F8
EnterCriticalSection.KERNEL32 ref: 6D16610A
LeaveCriticalSection.KERNEL32 ref: 6D166123

Strings

unexpected cgo_bindm on Windows, xrefs: 6D166070
runtime: failed to signal runtime initialization complete., xrefs: 6D1660E8

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeaveabort$Event
String ID: runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
API String ID: 123483900-760755518
Opcode ID: 685da469430bb571d527567790d786c9172c3e615fe794ca5e80e9ad37f59bf0
Instruction ID: 9c4413d5a1381d84d3bf504ffa220af28bd2f8fec4e2c3e25c2e7cdeeb96df4f
Opcode Fuzzy Hash: 685da469430bb571d527567790d786c9172c3e615fe794ca5e80e9ad37f59bf0
Instruction Fuzzy Hash: 7811B9B18486548FDB01BFB8D10E36EBEF0BB42308F82495CD98557605EB74A5A9CB63

Function 6D16B980 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 226COMMON

Download Yara Rule

Strings

Unknown pseudo relocation bit size %d., xrefs: 6D16BAED
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6D16BAA0
Unknown pseudo relocation protocol version %d., xrefs: 6D16BC73

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 7f1ea414dffc40a194e41361e310f74fdd9be728a2606fe67e4bad2b16ed24dd
Instruction ID: 865b7970ea598bcdb54450f5372e577f59444c0b09140c90a42b94852add7891
Opcode Fuzzy Hash: 7f1ea414dffc40a194e41361e310f74fdd9be728a2606fe67e4bad2b16ed24dd
Instruction Fuzzy Hash: 2491A1B1D0825A9FCB00DF69DA807AEB7F4FF45304F05C529E958A724CD770A865CBA2

Function 6D165156 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32 ref: 6D1651AD
GetProcessHeap.KERNEL32 ref: 6D16520A
HeapAlloc.KERNEL32 ref: 6D165223
memcpy.MSVCRT ref: 6D1652E1
memset.MSVCRT ref: 6D16537C
IsBadReadPtr.KERNEL32 ref: 6D1653EF
realloc.MSVCRT ref: 6D165440

Strings

@, xrefs: 6D165210

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: Heap$AllocInfoNativeProcessReadSystemmemcpymemsetrealloc
String ID: @
API String ID: 3801555102-2766056989
Opcode ID: 71ca957877dea6ab127660e7f77f093436a67800e07dfe28dbce24cb9c75c6e1
Instruction ID: 1ebcb78700c565d2a5b3c14d39ecac184640b2a103d678930efa7cd06efd078c
Opcode Fuzzy Hash: 71ca957877dea6ab127660e7f77f093436a67800e07dfe28dbce24cb9c75c6e1
Instruction Fuzzy Hash: 1AA1EEB0A087429FD710CF29C58476AFBE0BF88318F45892DE89897701E7B4E955CF92

Function 6D1668E0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6D1669B1

Strings

0, xrefs: 6D166E2E
o, xrefs: 6D166D98

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: ebefbe6945bd7e9b28a0da70524577bbcc1c22ea509cf173d45d016b6e072430
Instruction ID: 716c7998374537bcbcbd1f489952195b35026346977966950bf79b8dc8fa1b02
Opcode Fuzzy Hash: ebefbe6945bd7e9b28a0da70524577bbcc1c22ea509cf173d45d016b6e072430
Instruction Fuzzy Hash: BCF1A471A04689CFCB01CF68C48069DBBF2BF89360F15C269D994AB349D774E955CBE0

Function 6D0D13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6D0D13F0
LoadLibraryA.KERNEL32 ref: 6D0D1406
GetProcAddress.KERNEL32 ref: 6D0D1425
GetProcAddress.KERNEL32 ref: 6D0D1437

Strings

__register_frame_info, xrefs: 6D0D141A
__deregister_frame_info, xrefs: 6D0D142C
libgcc_s_dw2-1.dll, xrefs: 6D0D13E9, 6D0D13FF

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: abbaed3dc6efb5349fe48090748d15a23779224c6ba645007895aaec43cd1085
Instruction ID: 72127d893e1f2b4f1f4a21abe27c3daa7400eaa85e91e70d4d945998bac03d77
Opcode Fuzzy Hash: abbaed3dc6efb5349fe48090748d15a23779224c6ba645007895aaec43cd1085
Instruction Fuzzy Hash: 510171B19093049BD750BFB8E90D35EBFF4BB46254F02842ED98457208DB708844CBA3

Function 6D168050 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 6D168068

Strings

NaN, xrefs: 6D168A2B
@, xrefs: 6D168337
Inf, xrefs: 6D168B25, 6D168B3D

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: f4a57c7b05efce2915c9aabd71b47c9fbe6221af7144101e0da0eb4dc891ddce
Instruction ID: ac6e5af2eacd414c2dc7c74f26f5bf75a23fd30682470a7324c9f79d8511ca36
Opcode Fuzzy Hash: f4a57c7b05efce2915c9aabd71b47c9fbe6221af7144101e0da0eb4dc891ddce
Instruction Fuzzy Hash: CAF1E47160C3C28BD7218F24C49079BBBE1BB86314F058A2DD9DC573C9D7B59916CBA2

Function 6D166E50 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

@, xrefs: 6D16711A
0, xrefs: 6D1671B6

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: db53b3412e21b14b64fd966cdfaba44a868fe3b057c10bed8708d4ee68713ec0
Instruction ID: 09796424e15bcf35ad8fc7f8d1af5a9aac191cbcdabd16aea774d3c5720ddac4
Opcode Fuzzy Hash: db53b3412e21b14b64fd966cdfaba44a868fe3b057c10bed8708d4ee68713ec0
Instruction Fuzzy Hash: 2AC18E71E1425A8BDB05CF6CC88079DBBF1BF89314F15825AEC54AB389D3B5E851CBA0

Function 6D16CD90 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6D16CD9C
GetProcAddress.KERNEL32 ref: 6D16CDBC
GetProcAddress.KERNEL32 ref: 6D16CDFB

Strings

__lc_codepage, xrefs: 6D16CDF0
msvcrt.dll, xrefs: 6D16CD95
___lc_codepage_func, xrefs: 6D16CDB4

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: 8f5341073f1946c80f8d689a4e16a08e5131b730df3682415e233f8787ba498f
Instruction ID: efeaf9c3a39442909fbfb474e2a4b76c588feda5c2695f4661f90abe1e45f780
Opcode Fuzzy Hash: 8f5341073f1946c80f8d689a4e16a08e5131b730df3682415e233f8787ba498f
Instruction Fuzzy Hash: 00F04FF19892559BDF00BF3D9D0925ABEF4BA05251F01453AE845DB208E7B1D464CBF3

Function 6D0D1020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6D0D1281,?,?,?,?,?,?,6D0D13AE), ref: 6D0D1057
_amsg_exit.MSVCRT ref: 6D0D1086

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 57116afab4b58d324b5d55b63b4289424bec77508f3f77734647ef8ad48dc410
Instruction ID: cdc53e00145ca3c6f0682dc8fe1cc6a8d280190deaec5eda139fc067f482ad9b
Opcode Fuzzy Hash: 57116afab4b58d324b5d55b63b4289424bec77508f3f77734647ef8ad48dc410
Instruction Fuzzy Hash: F43150B0648342CBEB41BF68C58931B7BF5EB86748F41842AD9548B204DBB6D4D1CB93

Function 6D166C79 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6D166B87
fputc.MSVCRT ref: 6D166BF7
memset.MSVCRT ref: 6D166CB2

Strings

o, xrefs: 6D166CBA
0, xrefs: 6D166CA7

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 554f7f9faea69a16024aefb5dd32d29328ec9af7303e668e9847430315f7532b
Instruction ID: 5862f3765f2e813e7a75c8033ea2ead77e2bb4c7b5d06e1fddabadc80bbed959
Opcode Fuzzy Hash: 554f7f9faea69a16024aefb5dd32d29328ec9af7303e668e9847430315f7532b
Instruction Fuzzy Hash: 4F316D71A08389CFCB00CF69C19479ABBF1BF49354F0585A9D995AB349D7B4E810CBA0

Function 6D164E70 Relevance: 7.6, APIs: 5, Instructions: 106COMMON

Download Yara Rule

APIs

bsearch.MSVCRT ref: 6D164ECF
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6D165DAF), ref: 6D164F0F
malloc.MSVCRT ref: 6D164F44
qsort.MSVCRT ref: 6D164FB4

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: ErrorLastbsearchmallocqsort
String ID:
API String ID: 1451747280-0
Opcode ID: 14f644bb386251c29df3357f2a0d954a5cf63e89b649388142d06d5ce80b4f58
Instruction ID: d6fb1490b872bd90b824915253df02350efbec141fb6d6f42fb9cd130efb8cfd
Opcode Fuzzy Hash: 14f644bb386251c29df3357f2a0d954a5cf63e89b649388142d06d5ce80b4f58
Instruction Fuzzy Hash: FC419A716083418FD300CF2DD49062ABBF1FF89304F06896DE8889B354E7B5E865CBA2

Function 6D1659F0 Relevance: 7.6, APIs: 5, Instructions: 84threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 6D165AA0
SetLastError.KERNEL32 ref: 6D165ADF

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: ErrorLastLocaleThread
String ID:
API String ID: 1348403374-0
Opcode ID: 976f2338b3617b8525f5b8f3a1d11c26b7852b9f0fa4a6ab6633cdc64d5578bf
Instruction ID: 7e82eea3f1ac82f03a153e27f319ea477cae5ced282191fc428066afa67d2bd0
Opcode Fuzzy Hash: 976f2338b3617b8525f5b8f3a1d11c26b7852b9f0fa4a6ab6633cdc64d5578bf
Instruction Fuzzy Hash: F12198716182018BE700EB39D884667B7F5BF85315F098628E999C73C5DB74E864CBA1

Function 6D16C7C0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6D16C7D9
_unlock.MSVCRT ref: 6D16C801
calloc.MSVCRT ref: 6D16C84F

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 01cfb712d85b6e4d619ce68922cd4ea2a4d205ce6739300ed457df455a6d115e
Instruction ID: eef192b6136833fc69c2f2ef5a8a3e277afd84fb08bb2d6b4a209c21e908c9c2
Opcode Fuzzy Hash: 01cfb712d85b6e4d619ce68922cd4ea2a4d205ce6739300ed457df455a6d115e
Instruction Fuzzy Hash: F4114C716082918FDB509F28C48075ABFE5BF89310F06C569D998CF249EBB4C850CBB2

Function 6D165FC0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 6D165FF0
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D1646F9), ref: 6D165FFC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D1646F9), ref: 6D16600E
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D1646F9), ref: 6D16601E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D1646F9), ref: 6D166030

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ObjectSingleWait
String ID:
API String ID: 1755037574-0
Opcode ID: e3e14f08fe14027ff96663a5cbfd023c7491335b66f115f80991947fbe9afa13
Instruction ID: 521bc9e2230bd222e5036c7403cffbf37d6b4eaa4e9c1d9f141ad30b43df8a2b
Opcode Fuzzy Hash: e3e14f08fe14027ff96663a5cbfd023c7491335b66f115f80991947fbe9afa13
Instruction Fuzzy Hash: CF019270544745CBDB00BF7DC58A61BFFB4AF82218F014629DC8443645E770A4A8CBA3

Function 6D166243 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6D16625F
abort.MSVCRT ref: 6D1662A2
free.MSVCRT ref: 6D1662C5

Part of subcall function 6D166170: _beginthread.MSVCRT ref: 6D166196
Part of subcall function 6D166170: _errno.MSVCRT ref: 6D1661A1
Part of subcall function 6D166170: _errno.MSVCRT ref: 6D1661A8
Part of subcall function 6D166170: abort.MSVCRT ref: 6D1661CD

Strings

runtime/cgo: out of memory in thread_start, xrefs: 6D166292

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: _errnoabort$_beginthreadfreemalloc
String ID: runtime/cgo: out of memory in thread_start
API String ID: 2078976911-3894583329
Opcode ID: 2d56005f4cd9a6fc2366fe4d5994039d2cf6281098303b901cdb248aaf12b0ae
Instruction ID: d35c6e8739b41608bca8d5f3bf57dcdf954ca2a5ecdab4d2affdad41f7ea8c38
Opcode Fuzzy Hash: 2d56005f4cd9a6fc2366fe4d5994039d2cf6281098303b901cdb248aaf12b0ae
Instruction Fuzzy Hash: FB211DB59087448FCB00EF28D58491AFBF4FF89304F46899DE9885B325D374A851CBE2

Function 6D165CF0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6D165CF4
FormatMessageA.KERNEL32 ref: 6D165D39
LocalFree.KERNEL32 ref: 6D165D6E

Strings

Erro: %s, xrefs: 6D165D53

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: Erro: %s
API String ID: 1365068426-2412703935
Opcode ID: 5cddfcaa569b4aba81c01c55072f3f362e848811dda62cf7c98ab8c313b4886c
Instruction ID: b5efff4a04ba46124efd617762731ff107ff83af4d5d6d50169ea3492c2aaabb
Opcode Fuzzy Hash: 5cddfcaa569b4aba81c01c55072f3f362e848811dda62cf7c98ab8c313b4886c
Instruction Fuzzy Hash: 5A018CB04083019FE700AF64C58931ABBF0BB88349F40891DE9989A255D7B88598CF93

Function 6D165E90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 6D165EB2
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D165F65), ref: 6D165ECB
abort.MSVCRT ref: 6D165EF5

Strings

runtime: failed to create runtime initialization wait event., xrefs: 6D165EE5

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: CreateCriticalEventInitializeSectionabort
String ID: runtime: failed to create runtime initialization wait event.
API String ID: 3843693739-3277801083
Opcode ID: d7e6078e17f4dc02cbf9c793e6ad760ce3b170bf15b3347d3e31d307544895c8
Instruction ID: 0a59dfa614c33a9140dc8b040c7ddc3534dc6d706c38318b2849973c0fb6cccc
Opcode Fuzzy Hash: d7e6078e17f4dc02cbf9c793e6ad760ce3b170bf15b3347d3e31d307544895c8
Instruction Fuzzy Hash: E6F01DB14487118BEB00BF78C51D36EBEF0BB41304F81895CD89986245EBB980A4CB63

Function 6D16C8F0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 6D16C942
MultiByteToWideChar.KERNEL32 ref: 6D16C985

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 2307138fbe116b323e3cd9626363cf89d320e265f9545b4f5629194c484e2f6f
Instruction ID: 90d4547dff6952e64525341d645c934f6f5a6725d4f9e1f4d4bfa4149ecc8037
Opcode Fuzzy Hash: 2307138fbe116b323e3cd9626363cf89d320e265f9545b4f5629194c484e2f6f
Instruction Fuzzy Hash: 7931D3B15093928FDB00DF29D48435ABBF1BF96314F00891EE89487258E7B6D958CB62

Function 6D1666A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6D166721

Strings

NaN, xrefs: 6D1666A1

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: cf7614440ec6851ca82ea40031330610d20ebf86e678fa2553d9f1a1c36698a7
Instruction ID: 1446e51d677f0a63e7825684db47d01d7c600bcca1297f726f924f5b8338f3a1
Opcode Fuzzy Hash: cf7614440ec6851ca82ea40031330610d20ebf86e678fa2553d9f1a1c36698a7
Instruction Fuzzy Hash: ED4118B5A052998BCB10CF18C484756B7E1BF95704F26C2A9DD488F34ED3B6D852CBE0

Function 6D166C36 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6D166B87
fputc.MSVCRT ref: 6D166BF7
memset.MSVCRT ref: 6D166CB2

Strings

o, xrefs: 6D166C4E

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: 5083fe0debd9753e9b233b695f135e5a28ad9768abfd24fc6a55f8e7a69b9823
Instruction ID: b82dadcb3b97a7d4b47496fba0a1a45efbccd4e0facdb23a9b8d094717c3fd33
Opcode Fuzzy Hash: 5083fe0debd9753e9b233b695f135e5a28ad9768abfd24fc6a55f8e7a69b9823
Instruction Fuzzy Hash: 46318471A08789CFC701CF68C190799BBF1BF48350F068699D989AB309E7B4E950CBE0

Function 6D167114 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6D16707F
fputc.MSVCRT ref: 6D1670E1

Strings

@, xrefs: 6D16711A

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: ababd3f75690fbcba9bc1f60d79812ee9903b967bac2f6abc848a8bcbfc8c842
Instruction ID: c64b2e02a536cefea7c1e8600dce969d495a33643ea444ae3ae8823198144950
Opcode Fuzzy Hash: ababd3f75690fbcba9bc1f60d79812ee9903b967bac2f6abc848a8bcbfc8c842
Instruction Fuzzy Hash: 42113DB1D18281CBCB01CFA8C1807557BB1BF96300F26865ADD985FA4ED3B5E811CB71

Function 6D164FE0 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

free.MSVCRT ref: 6D165002
free.MSVCRT ref: 6D165042
GetProcessHeap.KERNEL32(?,?,?,?,?,00000000,?,6D165590), ref: 6D16506B
HeapFree.KERNEL32 ref: 6D165080

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: Heapfree$FreeProcess
String ID:
API String ID: 3425746932-0
Opcode ID: cad3d01592544eb18103612991c7784c7c8dd34eae3edf6f8514a8e8ba44fad8
Instruction ID: 62e2ff19f6f8e8a6524990acb1490950ba010063ae3c7cab6f46f2500dea31b5
Opcode Fuzzy Hash: cad3d01592544eb18103612991c7784c7c8dd34eae3edf6f8514a8e8ba44fad8
Instruction Fuzzy Hash: A821E5B06093418BEB00AF64C4D872ABBF0BF94304F55C96DD8898B20ED775D895CBA1

Function 6D16A850 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,6D16A971,?,?,?,?,?,?,00000000,6D168C14), ref: 6D16A877
InitializeCriticalSection.KERNEL32(?,?,?,?,6D16A971,?,?,?,?,?,?,00000000,6D168C14), ref: 6D16A8B4
InitializeCriticalSection.KERNEL32(?,?,?,?,?,6D16A971,?,?,?,?,?,?,00000000,6D168C14), ref: 6D16A8C0
EnterCriticalSection.KERNEL32(?,?,?,?,6D16A971,?,?,?,?,?,?,00000000,6D168C14), ref: 6D16A8E8

Memory Dump Source

Source File: 0000000D.00000002.2306237751.000000006D0D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0D0000, based on PE: true

Associated: 0000000D.00000002.2306207495.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306367024.000000006D16D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306394381.000000006D16E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306421468.000000006D16F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306451366.000000006D174000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306575386.000000006D21D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D223000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306692770.000000006D228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306742643.000000006D23B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306765691.000000006D242000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306862450.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2306909258.000000006D246000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d0d0000_rundll32.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: 100279e3b1bc34d673b8c862b15188e0576dd62c71db8c7727f6a085a6fc089b
Instruction ID: f38f5ce49fe611577765c475f8a4280b6937744cda9b6b4c2d72b9cfb63bbe99
Opcode Fuzzy Hash: 100279e3b1bc34d673b8c862b15188e0576dd62c71db8c7727f6a085a6fc089b
Instruction Fuzzy Hash: B4118EB19441658ADB02BB28D48AB6A77F8AB56354F120425CC52CB209E772D8F5C7A3

File type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.289973116921106
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	WW15vnG9EY.dll
File size:	1'397'248 bytes
MD5:	4da91b21a75c396b98219ddf500051b7
SHA1:	c84478746587c5bef9f1d2550629660197cd0b7b
SHA256:	70ebafe5935dc5fa81a5e82e5f9ed83c7862e3d785f6b52351703d44e644dbfa
SHA512:	3d47e53d5fdacc5a4d75c09776235cc4d7b9f7d4c81d3467b67ecef0a8503ee8967c57434678aceda32eefe5a05bf4dcf6468211ef1a530884fd75368f0aa96b
SSDEEP:	24576:mb2QHDFnfLnvQ1BsXlTm4IW35sPdyVPLiftn80OnMgy8:mDlS06U9N5
TLSH:	03552900FD8744F1E003263285A7A2AF63256D094F31DBD7FB48BA7DFA736950936296
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...*.....N...N.................m................................m.....@... ...................... ..-..

Entrypoint:	0x6d8c1390
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x6d8c0000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x6d95b710, 0x6d95b6c0
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	fc4278e40a172f1e8b037cb3d2809e66

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x172000	0x12d	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x173000	0xbb0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x176000	0x882c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x14a444	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1731dc	0x1a0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9be78	0x9c000	32caff48218a21e80281b0eeed21f4a5	False	0.47325877654246795	data	6.302901230623459	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x9d000	0x67ec	0x6800	8f2cbca174bb83a0a86355f0728b3c41	False	0.42101111778846156	dBase III DBT, version number 0, next free block index 1, 1st item ""	4.459575171219113	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xa4000	0xa68cc	0xa6a00	0a17213743277c78d381b4e780203da1	False	0.43165820752063017	data	5.601603835374281	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x14b000	0x1e94	0x2000	b3586cda6a9f1266d88c9bd57736d705	False	0.3330078125	data	4.772055814218093	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x14d000	0x24df0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x172000	0x12d	0x200	c87fc8f8787817a98c6f2502635f9f1e	False	0.462890625	data	3.4271057556060756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x173000	0xbb0	0xc00	f9325c52db82893fba8d59d311b3a681	False	0.408203125	data	5.213100684276811	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x174000	0x2c	0x200	39d753f3f872fc69a1bf3c2eedf6fbbd	False	0.056640625	data	0.2069200177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x175000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x176000	0x882c	0x8a00	b74fd00ee9b0319a1fe064eeff43efa8	False	0.6625339673913043	data	6.627412753213743	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WW15vnG9EY.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll32.exePID: 5500, Parent PID: 4004

General

Chronological Activities

Analysis Process: conhost.exePID: 1080, Parent PID: 5500

General

Chronological Activities

Analysis Process: cmd.exePID: 2436, Parent PID: 5500

General

Chronological Activities

Analysis Process: rundll32.exePID: 1476, Parent PID: 5500

Windows Analysis Report
WW15vnG9EY.dll

Function 6D126170 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41
sleepCOMMON

Function 6D1261F6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37
sleepCOMMON

Function 6D0FCFC0 Relevance: 1.5, APIs: 1, Instructions: 21
fileCOMMON

Function 6D0A59F0 Relevance: 18.5, Strings: 14, Instructions: 1019
COMMON

Function 6D0B93F0 Relevance: 16.9, Strings: 13, Instructions: 643
COMMON

Function 6D0C1570 Relevance: 16.4, Strings: 13, Instructions: 150
COMMON