Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dRs2BksGEy.dll

Overview

General Information

Sample name:dRs2BksGEy.dll
renamed because original name is a hash value
Original sample name:5314ad14c81fa4099d8608c95c82d31f07d32a5c4c407c5ec3c3508a28e72b41.dll
Analysis ID:1544794
MD5:5408904cb76332f662c09afa85c2e530
SHA1:d0dc9556efac593d89f07c308a0edd6b58fe6f0e
SHA256:5314ad14c81fa4099d8608c95c82d31f07d32a5c4c407c5ec3c3508a28e72b41
Tags:2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 2768 cmdline: loaddll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1608 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 5940 cmdline: rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 6740 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 828 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 5424 cmdline: rundll32.exe C:\Users\user\Desktop\dRs2BksGEy.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 6880 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 836 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 5700 cmdline: rundll32.exe C:\Users\user\Desktop\dRs2BksGEy.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 792 cmdline: rundll32.exe C:\Users\user\Desktop\dRs2BksGEy.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5552 cmdline: rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 5480 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5552 -s 824 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 2036 cmdline: rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6840 cmdline: rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1872 cmdline: rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5548 cmdline: rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SpellSpell MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3404 cmdline: rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SpellInit MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4004 cmdline: rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SpellFree MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5908 cmdline: rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6544 cmdline: rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5196 cmdline: rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability

Bitcoin Miner

barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D211830 3_2_6D211830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFD1830 13_2_6CFD1830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFD1830 17_2_6CFD1830
Source: dRs2BksGEy.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: dRs2BksGEy.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax3_2_6D1E2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax3_2_6D1E2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx3_2_6D1FCEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh3_2_6D209030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh3_2_6D20A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax13_2_6CFA2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax13_2_6CFA2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx13_2_6CFBCEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh13_2_6CFC9030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh13_2_6CFCA360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax17_2_6CFA2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax17_2_6CFA2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx17_2_6CFBCEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh17_2_6CFC9030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh17_2_6CFCA360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D211A70 NtCreateWaitCompletionPacket,3_2_6D211A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D212A90 NtCreateWaitCompletionPacket,3_2_6D212A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D211570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,3_2_6D211570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D2111F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,3_2_6D2111F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFD2A90 NtCreateWaitCompletionPacket,13_2_6CFD2A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFD1A70 NtCreateWaitCompletionPacket,13_2_6CFD1A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFD1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,13_2_6CFD1570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFD11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,13_2_6CFD11F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFD2A90 NtCreateWaitCompletionPacket,17_2_6CFD2A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFD1A70 NtCreateWaitCompletionPacket,17_2_6CFD1A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFD1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,17_2_6CFD1570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFD11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,17_2_6CFD11F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D264D203_2_6D264D20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D20AD503_2_6D20AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D23BC203_2_6D23BC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D266C203_2_6D266C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1E2CA63_2_6D1E2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1E2CA03_2_6D1E2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D274F303_2_6D274F30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D21CF903_2_6D21CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D272E703_2_6D272E70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1EBE903_2_6D1EBE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D25CEF03_2_6D25CEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D235ED03_2_6D235ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D20D9C53_2_6D20D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1F59F03_2_6D1F59F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D2659D03_2_6D2659D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D24A8723_2_6D24A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D20BB103_2_6D20BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1EFBC03_2_6D1EFBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D20CA303_2_6D20CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1F0AF03_2_6D1F0AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D2625603_2_6D262560
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D2385703_2_6D238570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D2695A03_2_6D2695A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D2034003_2_6D203400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D2264703_2_6D226470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D2014403_2_6D201440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D25E7403_2_6D25E740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D2667403_2_6D266740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D2066303_2_6D206630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D23D6E03_2_6D23D6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D20C6D03_2_6D20C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D2160103_2_6D216010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D20D0403_2_6D20D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D20C0803_2_6D20C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1F80A03_2_6D1F80A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1E90F03_2_6D1E90F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D21A3203_2_6D21A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D24332F3_2_6D24332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D2093F03_2_6D2093F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D2732303_2_6D273230
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D21E2403_2_6D21E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D2472803_2_6D247280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1E32A03_2_6D1E32A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D20B2D03_2_6D20B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6D024D2013_2_6D024D20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFA2CA013_2_6CFA2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFA2CA613_2_6CFA2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFFBC2013_2_6CFFBC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6D026C2013_2_6D026C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFCAD5013_2_6CFCAD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFF5ED013_2_6CFF5ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6D034F3013_2_6D034F30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFABE9013_2_6CFABE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFDCF9013_2_6CFDCF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6D032E7013_2_6D032E70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6D01CEF013_2_6D01CEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6D0259D013_2_6D0259D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFB59F013_2_6CFB59F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFCD9C513_2_6CFCD9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6D00A87213_2_6D00A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFB0AF013_2_6CFB0AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFCCA3013_2_6CFCCA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFAFBC013_2_6CFAFBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFCBB1013_2_6CFCBB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6D02256013_2_6D022560
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFE647013_2_6CFE6470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6D0295A013_2_6D0295A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFC144013_2_6CFC1440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFC340013_2_6CFC3400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFF857013_2_6CFF8570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFFD6E013_2_6CFFD6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFCC6D013_2_6CFCC6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6D01E74013_2_6D01E740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6D02674013_2_6D026740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFC663013_2_6CFC6630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFA90F013_2_6CFA90F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFB80A013_2_6CFB80A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFCC08013_2_6CFCC080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFCD04013_2_6CFCD040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFD601013_2_6CFD6010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFCB2D013_2_6CFCB2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6D00332F13_2_6D00332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFA32A013_2_6CFA32A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFDE24013_2_6CFDE240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFC93F013_2_6CFC93F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6D03323013_2_6D033230
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6D00728013_2_6D007280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CFDA32013_2_6CFDA320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6D024D2017_2_6D024D20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFA2CA017_2_6CFA2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFA2CA617_2_6CFA2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFFBC2017_2_6CFFBC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6D026C2017_2_6D026C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFCAD5017_2_6CFCAD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFF5ED017_2_6CFF5ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6D034F3017_2_6D034F30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFABE9017_2_6CFABE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFDCF9017_2_6CFDCF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6D032E7017_2_6D032E70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6D01CEF017_2_6D01CEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6D0259D017_2_6D0259D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFB59F017_2_6CFB59F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFCD9C517_2_6CFCD9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6D00A87217_2_6D00A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFB0AF017_2_6CFB0AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFCCA3017_2_6CFCCA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFAFBC017_2_6CFAFBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFCBB1017_2_6CFCBB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6D02256017_2_6D022560
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFE647017_2_6CFE6470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6D0295A017_2_6D0295A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFC144017_2_6CFC1440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFC340017_2_6CFC3400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFF857017_2_6CFF8570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFFD6E017_2_6CFFD6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFCC6D017_2_6CFCC6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6D01E74017_2_6D01E740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6D02674017_2_6D026740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFC663017_2_6CFC6630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFA90F017_2_6CFA90F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFB80A017_2_6CFB80A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFCC08017_2_6CFCC080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFCD04017_2_6CFCD040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFD601017_2_6CFD6010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFCB2D017_2_6CFCB2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6D00332F17_2_6D00332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFA32A017_2_6CFA32A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFDE24017_2_6CFDE240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFC93F017_2_6CFC93F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6D03323017_2_6D033230
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6D00728017_2_6D007280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CFDA32017_2_6CFDA320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D217410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D006A90 appears 962 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D246A90 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CFA2C30 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CFD7410 appears 1386 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CFD5080 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D005740 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CFD3B30 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 836
Source: dRs2BksGEy.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engineClassification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D275B30 GetLastError,FormatMessageA,fprintf,LocalFree,3_2_6D275B30
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\d9df36c7-8e70-4530-a918-8d962597685fJump to behavior
Source: dRs2BksGEy.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dRs2BksGEy.dll,BarCreate
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dRs2BksGEy.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 836
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 828
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dRs2BksGEy.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dRs2BksGEy.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SpellSpell
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5552 -s 824
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dRs2BksGEy.dll,BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dRs2BksGEy.dll,BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dRs2BksGEy.dll,BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",_cgo_dummy_exportJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SpellSpellJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SpellInitJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SpellFreeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SignalInitializeCrashReportingJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",GetInstallDetailsPayloadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarRecognizeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: dRs2BksGEy.dllStatic PE information: Image base 0x6d8c0000 > 0x60000000
Source: dRs2BksGEy.dllStatic file information: File size 1368576 > 1048576
Source: dRs2BksGEy.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1E13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,3_2_6D1E13E0
Source: dRs2BksGEy.dllStatic PE information: real checksum: 0x158f05 should be: 0x1505df
Source: dRs2BksGEy.dllStatic PE information: section name: .eh_fram
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0143D74E push cs; ret 0_2_0143D74F
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0143CD7A push ebp; retf 0_2_0143CD7C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D255094 pushad ; ret 3_2_6D255095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D25509D pushad ; ret 3_2_6D25509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0543C8DE push esp; ret 11_2_0543C8F4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0543D7F9 pushfd ; iretd 11_2_0543D80C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0503AF34 push eax; retf 12_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6D015094 pushad ; ret 13_2_6D015095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6D01509D pushad ; ret 13_2_6D01509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04C3CD8B push esp; iretd 14_2_04C3CDAA
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04C3CD28 push eax; ret 14_2_04C3CD29
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04C3AF34 push eax; retf 14_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0503D2D3 push esp; ret 15_2_0503D2ED
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0503AF34 push eax; retf 15_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6D015094 pushad ; ret 17_2_6D015095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6D01509D pushad ; ret 17_2_6D01509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_0503C34B pushfd ; retf 18_2_0503C369
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_0503AF34 push eax; retf 18_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_0443C90D push ds; ret 20_2_0443C90E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0483AF58 push eax; retf 21_2_0483AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_0543C39F pushad ; iretd 22_2_0543C3A5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_0543AF34 push eax; retf 22_2_0543AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_0543AF34 push eax; retf 23_2_0543AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0503C8B7 push ebp; retf 24_2_0503C8F8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0503AF34 push eax; retf 24_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0503C39B push ebp; retf 24_2_0503C8F8
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D24C0C0 rdtscp 3_2_6D24C0C0
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.8 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D24C0C0 rdtscp 3_2_6D24C0C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1E13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,3_2_6D1E13E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D274F30 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,memset,IsBadReadPtr,realloc,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,memcpy,SetLastError,SetLastError,SetLastError,SetLastError,3_2_6D274F30
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D276300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,3_2_6D276300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D2762FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,3_2_6D2762FC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6D036300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,13_2_6D036300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6D0362FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,13_2_6D0362FC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6D036300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,17_2_6D036300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6D0362FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,17_2_6D0362FC
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D276250 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,3_2_6D276250
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D211C90 RtlGetVersion,RtlGetCurrentPeb,3_2_6D211C90

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		11
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory3
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS3
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544794 Sample: dRs2BksGEy.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->29 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
dRs2BksGEy.dll5%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1544794
Start date and time:2024-10-29 18:51:09 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 7m 28s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:30
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:dRs2BksGEy.dll
renamed because original name is a hash value
Original Sample Name:5314ad14c81fa4099d8608c95c82d31f07d32a5c4c407c5ec3c3508a28e72b41.dll
Detection:MAL
Classification:mal48.mine.winDLL@35/0@0/0
EGA Information:
  • Successful, ratio: 20%
HCA Information:
  • Successful, ratio: 70%
  • Number of executed functions: 7
  • Number of non-executed functions: 116
Cookbook Comments:
  • Found application associated with file extension: .dll

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target loaddll32.exe, PID 2768 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 2036 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 3404 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 4004 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 5196 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 5548 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 5700 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 5908 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 5940 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6544 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6840 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 792 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: dRs2BksGEy.dll

Simulations

Behavior and APIs

TimeTypeDescription
13:52:29API Interceptor1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):6.270971784420794
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:dRs2BksGEy.dll
File size:1'368'576 bytes
MD5:5408904cb76332f662c09afa85c2e530
SHA1:d0dc9556efac593d89f07c308a0edd6b58fe6f0e
SHA256:5314ad14c81fa4099d8608c95c82d31f07d32a5c4c407c5ec3c3508a28e72b41
SHA512:15bf68dc8a0256cd1548783274018382546d4c4deb75d53ed82c49c9de9350f7383dc87609bc09e3b5927df73f65721e6950c95d30217bbe5a92b791a421e8c6
SSDEEP:24576:MmuEK/vLJrWnfL8lcmfYm9FBmiu/+znlMqHNMsfNjF02nMWU:MRJrhHRdY0ld
TLSH:A8550800FDC784F1E403263285AB62AB6325AD195F31CBC7FB44BB79FA776954832285
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....d.......H.................m......................................@... .........................-..

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x6d8c1380
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x6d8c0000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:0x6d9563e0, 0x6d956390
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:47d9e8363ec498a9360ee0a7da269805

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [6DA2C730h], 00000000h
mov edx, dword ptr [esp+24h]
cmp edx, 01h
je 00007F5AB5298E9Ch
mov ecx, dword ptr [esp+28h]
mov eax, dword ptr [esp+20h]
call 00007F5AB5298D02h
add esp, 1Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
mov dword ptr [esp+0Ch], edx
call 00007F5AB532DD1Ch
mov edx, dword ptr [esp+0Ch]
jmp 00007F5AB5298E59h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 6DA08000h
mov dword ptr [esp+04h], eax
call 00007F5AB532EB6Eh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 6D95F000h
call dword ptr [6DA2E21Ch]
sub esp, 04h
test eax, eax
je 00007F5AB5298EF5h
mov ebx, eax
mov dword ptr [esp], 6D95F000h
call dword ptr [6DA2E264h]
mov edi, dword ptr [6DA2E224h]
sub esp, 04h
mov dword ptr [6DA2C764h], eax
mov dword ptr [esp+04h], 6D95F013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 6D95F029h
mov dword ptr [esp], ebx
call edi
mov dword ptr [6D958000h], eax
sub esp, 08h
test esi, esi
je 00007F5AB5298E93h
mov dword ptr [esp+00h], 00000000h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x16d0000x12d.edata
IMAGE_DIRECTORY_ENTRY_IMPORT0x16e0000xb78.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1710000x868c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x144fd00x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x16e1cc0x190.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x962a80x964009ea4a82fd4e60f8c004a91e6611ae41cFalse0.4697915583402662data6.282346381872946IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x980000x67c80x6800385a798458db0898433d7cab18d59df8False0.42044771634615385data4.442318225516769IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0x9f0000xa63a00xa6400b2382868fbb9751c79ae434240bbff93False0.43169789708646616data5.58957621003733IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram0x1460000x12740x140085e22b3e84813337ea1a67b904c6bbcdFalse0.3369140625data4.565839626312234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss0x1480000x2477c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata0x16d0000x12d0x20067859e1c9d81f1d2bdf6b531a2016f52False0.44921875data3.400613123216997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata0x16e0000xb780xc00cb8eb4a241279d6fed66c3ea8ecac795False0.3961588541666667data5.12056831676781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT0x16f0000x2c0x200db151290603a2662b590a75b7e0b0988False0.0546875data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0x1700000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x1710000x868c0x8800fbb66618699b0a6c6649977b4061f913False0.6663602941176471data6.630453637493472IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllAddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetLastError, GetModuleHandleA, GetNativeSystemInfo, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadLocale, GetTickCount, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, PostQueuedCompletionStatus, QueryPerformanceCounter, RaiseFailFastException, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TerminateProcess, TlsAlloc, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WriteConsoleW, WriteFile, lstrlenA
msvcrt.dll_amsg_exit, _beginthread, _errno, _initterm, _iob, _lock, _unlock, _wcsnicmp, abort, bsearch, calloc, fprintf, free, fwrite, malloc, mbstowcs, memcpy, memset, qsort, realloc, strcmp, strlen, strncmp, strtol, vfprintf, wcstombs

Exports

NameOrdinalAddress
BarCreate10x6d9545d0
BarDestroy20x6d954850
BarFreeRec30x6d954800
BarRecognize40x6d9547b0
GetInstallDetailsPayload50x6d954710
SignalInitializeCrashReporting60x6d954760
SpellFree70x6d954620
SpellInit80x6d954670
SpellSpell90x6d9546c0
_cgo_dummy_export100x6da2c768

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:13:52:20
Start date:29/10/2024
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll"
Imagebase:0x570000
File size:126'464 bytes
MD5 hash:51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:13:52:20
Start date:29/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6ee680000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:13:52:20
Start date:29/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",#1
Imagebase:0xa40000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:13:52:20
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\dRs2BksGEy.dll,BarCreate
Imagebase:0x2a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:13:52:20
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",#1
Imagebase:0x2a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:13:52:20
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 836
Imagebase:0x770000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:10
Start time:13:52:20
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 828
Imagebase:0x770000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:11
Start time:13:52:23
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\dRs2BksGEy.dll,BarDestroy
Imagebase:0x2a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:12
Start time:13:52:26
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\dRs2BksGEy.dll,BarFreeRec
Imagebase:0x2a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:13
Start time:13:52:29
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarCreate
Imagebase:0x2a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:14
Start time:13:52:29
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarDestroy
Imagebase:0x7ff6ee680000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:15
Start time:13:52:29
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarFreeRec
Imagebase:0x2a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:17
Start time:13:52:29
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",_cgo_dummy_export
Imagebase:0x2a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:18
Start time:13:52:29
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SpellSpell
Imagebase:0x2a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:19
Start time:13:52:29
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5552 -s 824
Imagebase:0x770000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:20
Start time:13:52:29
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SpellInit
Imagebase:0x2a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:21
Start time:13:52:29
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SpellFree
Imagebase:0x2a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:22
Start time:13:52:29
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",SignalInitializeCrashReporting
Imagebase:0x2a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:23
Start time:13:52:29
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",GetInstallDetailsPayload
Imagebase:0x2a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:24
Start time:13:52:29
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\dRs2BksGEy.dll",BarRecognize
Imagebase:0x2a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:15
    Total number of Limit Nodes:2
    execution_graph 52875 6d24cea0 52876 6d24cec8 WriteFile 52875->52876 52877 6d24ceb9 52875->52877 52877->52876 52878 6d276060 malloc 52879 6d276095 fwrite abort free 52878->52879 52880 6d276078 52878->52880 52884 6d27610e 52879->52884 52885 6d275fb0 52880->52885 52884->52880 52886 6d275fc7 _beginthread 52885->52886 52887 6d276012 52886->52887 52888 6d275fe1 _errno 52886->52888 52889 6d276020 Sleep 52888->52889 52890 6d275fe8 _errno 52888->52890 52889->52886 52891 6d276034 52889->52891 52892 6d275ff9 fprintf abort 52890->52892 52891->52890 52892->52887

    Executed Functions

    Function 6D275FB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6D275FF9
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabortfprintf
    • String ID: runtime: failed to create new OS thread (%d)
    • API String ID: 1261927973-3231778263
    • Opcode ID: dd830b884022d6e9ec078468f853597bbac3e71574443d12ad84c80868fddb2e
    • Instruction ID: b09b814be7dbbbdfc75d1af032c8ae66684c6af45d493d684dfec37f5adec00c
    • Opcode Fuzzy Hash: dd830b884022d6e9ec078468f853597bbac3e71574443d12ad84c80868fddb2e
    • Instruction Fuzzy Hash: 4901627544931ADFC720BF64C88862EBBB4FF86355F01451DE58583250C7349480DAA3
    Function 6D276060 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • malloc.MSVCRT ref: 6D27606F
    • fwrite.MSVCRT ref: 6D2760BD
    • abort.MSVCRT ref: 6D2760C2
    • free.MSVCRT ref: 6D2760E5
      • Part of subcall function 6D275FB0: _beginthread.MSVCRT ref: 6D275FD6
      • Part of subcall function 6D275FB0: _errno.MSVCRT ref: 6D275FE1
      • Part of subcall function 6D275FB0: _errno.MSVCRT ref: 6D275FE8
      • Part of subcall function 6D275FB0: fprintf.MSVCRT ref: 6D276008
      • Part of subcall function 6D275FB0: abort.MSVCRT ref: 6D27600D
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
    • String ID: +$runtime/cgo: out of memory in thread_start
    • API String ID: 2633710936-1802439445
    • Opcode ID: 1b66dbcc014eeb8c8a80661ee2ffb0ca078e7650b16de52b20da6b98e2fb8de4
    • Instruction ID: caa5ca8f3483cfeda8fa03317612def186aa1123dd6e5d634265b07a1a1dc188
    • Opcode Fuzzy Hash: 1b66dbcc014eeb8c8a80661ee2ffb0ca078e7650b16de52b20da6b98e2fb8de4
    • Instruction Fuzzy Hash: F621ED75948704DFC720EF29D59891AFBF4FF8A304F4589ADE9888B325D7399840CB92
    Function 6D24CEA0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 17 6d24cea0-6d24ceb7 18 6d24cec8-6d24cee0 WriteFile 17->18 19 6d24ceb9-6d24cec6 17->19 19->18
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: 9415c1c9b5faffa2539e13697fb71bf7aaa2d75ce03b3c65366bd91c8d520bd7
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 8EE0E571505600CFDB19DF18C2C1316BBE1EB48A00F0485A8DE098F74AD734ED10DB92

    Non-executed Functions

    Function 6D274F30 Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 564memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 314 6d274f30-6d274f42 315 6d275350-6d27536e SetLastError 314->315 316 6d274f48-6d274f54 314->316 317 6d275330-6d27533f SetLastError 316->317 318 6d274f5a-6d274f71 316->318 319 6d275342-6d27534e 317->319 318->315 320 6d274f77-6d274f88 318->320 320->317 321 6d274f8e-6d274f98 320->321 321->317 322 6d274f9e-6d274fa7 321->322 322->317 323 6d274fad-6d274fbb 322->323 324 6d274fc1-6d274fc3 323->324 325 6d275710-6d275712 323->325 326 6d274fc5-6d274fe3 324->326 326->326 327 6d274fe5-6d27500f GetNativeSystemInfo 326->327 327->317 328 6d275015-6d275047 327->328 330 6d275370-6d2753a3 328->330 331 6d27504d-6d275073 GetProcessHeap HeapAlloc 328->331 330->331 338 6d2753a9-6d2753bb SetLastError 330->338 332 6d275731-6d27576a SetLastError 331->332 333 6d275079-6d2750e4 331->333 332->319 334 6d2753c0-6d2753cd SetLastError 333->334 335 6d2750ea-6d27515c memcpy 333->335 339 6d2753d0-6d2753e6 call 6d274e50 334->339 342 6d275162-6d275164 335->342 343 6d2751ea-6d2751f5 335->343 338->319 347 6d275166-6d27516b 342->347 345 6d275660-6d27566a 343->345 346 6d2751fb-6d27520a 343->346 348 6d27566c-6d275680 345->348 349 6d2756eb-6d2756ee 345->349 350 6d275472-6d27549a 346->350 351 6d275210-6d27521e 346->351 352 6d275171-6d27517a 347->352 353 6d2753f0-6d2753fc 347->353 354 6d2756e6 348->354 355 6d275682-6d27568e 348->355 358 6d2754b0-6d2754c8 350->358 359 6d27549c-6d27549f 350->359 357 6d275220-6d27523a IsBadReadPtr 351->357 360 6d2751ce-6d2751dc 352->360 361 6d27517c-6d2751a8 352->361 353->334 356 6d2753fe-6d275426 353->356 354->349 362 6d275690-6d27569b 355->362 356->339 378 6d275428-6d275455 memcpy 356->378 363 6d275470 357->363 364 6d275240-6d275249 357->364 367 6d2757a6-6d2757aa 358->367 368 6d2754ce-6d2754e6 358->368 365 6d2754a5-6d2754a8 359->365 366 6d2756ff-6d275704 359->366 360->347 369 6d2751de-6d2751e6 360->369 361->339 383 6d2751ae-6d2751c9 memset 361->383 370 6d2756d2-6d2756dc 362->370 371 6d27569d-6d27569f 362->371 363->350 364->363 373 6d27524f-6d275264 364->373 365->358 374 6d2754aa-6d2754af 365->374 366->358 382 6d2757b3-6d2757c3 SetLastError 367->382 376 6d275541-6d27554d 368->376 369->343 370->362 381 6d2756de-6d2756e2 370->381 377 6d2756a0-6d2756ad 371->377 391 6d27576f-6d27577f SetLastError 373->391 392 6d27526a-6d275285 realloc 373->392 374->358 379 6d27554f-6d275555 376->379 380 6d27555a-6d27555e 376->380 384 6d2756c3-6d2756d0 377->384 385 6d2756af-6d2756c0 377->385 386 6d275557 379->386 387 6d2755a0-6d2755a6 379->387 389 6d275560-6d275568 380->389 390 6d27556a-6d27557b 380->390 381->354 382->339 383->360 384->370 384->377 385->384 386->380 387->380 396 6d2755a8-6d2755ab 387->396 389->390 393 6d2754f0-6d2754ff call 6d2749e0 389->393 394 6d275585 390->394 395 6d27557d-6d275583 390->395 391->339 397 6d275784-6d2757a1 SetLastError 392->397 398 6d27528b-6d2752b5 392->398 405 6d275505-6d275514 393->405 406 6d275720-6d275724 393->406 399 6d27558a-6d275596 394->399 395->394 395->399 396->380 397->339 401 6d2752b7 398->401 402 6d2752e8-6d2752f4 398->402 403 6d275518-6d275530 399->403 410 6d275460-6d275465 401->410 411 6d2752f6-6d275307 402->411 412 6d2752c0-6d2752d6 402->412 407 6d275532-6d27553d 403->407 408 6d2755b0-6d2755c9 call 6d2749e0 403->408 405->403 406->339 407->376 408->339 417 6d2755cf-6d2755d9 408->417 410->357 418 6d275309-6d275326 SetLastError 411->418 419 6d2752d8-6d2752e2 411->419 412->418 412->419 420 6d275613-6d275618 417->420 421 6d2755db-6d2755e4 417->421 418->339 419->402 419->410 424 6d2756f3-6d2756fa 420->424 425 6d27561e-6d275629 420->425 421->420 422 6d2755e6-6d2755ea 421->422 422->420 426 6d2755ec 422->426 424->319 427 6d27562f-6d275649 425->427 428 6d275729-6d27572c 425->428 429 6d2755f0-6d27560f 426->429 427->382 432 6d27564f-6d275656 427->432 428->319 433 6d275611 429->433 432->319 433->420
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: ErrorHeapLast$AllocInfoNativeProcessReadSystemmemcpymemsetrealloc
    • String ID: ?$@
    • API String ID: 2257136212-1463999369
    • Opcode ID: 20be2b3c4edbb52e9c19b89d75cad1ce52adfddb5fee4a4babe4ee582a140c8d
    • Instruction ID: 2566a96df205a2f9ec65a632a1e03511020fd2bb4b429f9286a7228ac5d13662
    • Opcode Fuzzy Hash: 20be2b3c4edbb52e9c19b89d75cad1ce52adfddb5fee4a4babe4ee582a140c8d
    • Instruction Fuzzy Hash: 414205B464970A9FD720DF29C584A2AFBF1BF88345F44892DE89987350E774E845CF82
    Function 6D1F59F0 Relevance: 18.5, Strings: 14, Instructions: 1019COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1131 6d1f59f0-6d1f5a05 1132 6d1f5a0b-6d1f5a31 call 6d250980 1131->1132 1133 6d1f6c61-6d1f6c66 call 6d24ae50 1131->1133 1138 6d1f5a3a-6d1f5a3d 1132->1138 1139 6d1f5a33-6d1f5a38 1132->1139 1133->1131 1140 6d1f5a40-6d1f5aa7 call 6d2509b0 call 6d24cff0 1138->1140 1139->1140 1145 6d1f5aa9-6d1f5ab1 call 6d24c260 1140->1145 1146 6d1f5ab3-6d1f5b83 call 6d219e30 call 6d24ad60 * 2 call 6d219a20 1140->1146 1145->1146 1157 6d1f5b8b-6d1f5b93 call 6d239ba0 1146->1157 1158 6d1f5b85-6d1f5b89 1146->1158 1160 6d1f5b97-6d1f5b99 1157->1160 1158->1160 1162 6d1f5bcf-6d1f5be5 1160->1162 1163 6d1f5b9b-6d1f5bca call 6d23a140 call 6d239cd0 1160->1163 1165 6d1f5be7-6d1f5bef call 6d24c260 1162->1165 1166 6d1f5bf1-6d1f5c00 1162->1166 1163->1162 1165->1166 1169 6d1f6c4a-6d1f6c60 call 6d246a90 1166->1169 1170 6d1f5c06-6d1f5f1c call 6d2509b0 call 6d24ad60 call 6d24cff0 call 6d24d050 call 6d2509d0 * 2 call 6d20fc30 call 6d23f810 * 2 call 6d2507f0 * 3 1166->1170 1169->1133 1199 6d1f5f1e 1170->1199 1200 6d1f5f24-6d1f5fc2 call 6d1ea4e0 call 6d21ed60 call 6d1ea700 call 6d201f00 call 6d1f85c0 call 6d20ce30 call 6d2029f0 1170->1200 1199->1200 1215 6d1f5fc4-6d1f5fc6 1200->1215 1216 6d1f5fd0-6d1f5fd2 1200->1216 1217 6d1f5fcc-6d1f5fce 1215->1217 1218 6d1f6c34-6d1f6c45 call 6d246a90 1215->1218 1219 6d1f6c1e-6d1f6c2f call 6d246a90 1216->1219 1220 6d1f5fd8-6d1f6095 call 6d24c476 call 6d24c94a call 6d24ad60 call 6d20d3f0 call 6d205470 call 6d24ad60 * 2 1216->1220 1217->1216 1217->1220 1218->1169 1219->1218 1237 6d1f6097-6d1f60af call 6d202a70 1220->1237 1238 6d1f60b4-6d1f60bc 1220->1238 1237->1238 1240 6d1f6abf-6d1f6b05 call 6d1ea4e0 1238->1240 1241 6d1f60c2-6d1f6130 call 6d24c47a call 6d216bb0 call 6d23fa50 1238->1241 1246 6d1f6b07-6d1f6b12 call 6d24c260 1240->1246 1247 6d1f6b14-6d1f6b30 call 6d1ea700 1240->1247 1257 6d1f6140-6d1f615e 1241->1257 1246->1247 1256 6d1f6b55-6d1f6b5e 1247->1256 1258 6d1f6b32-6d1f6b54 call 6d1e43c0 1256->1258 1259 6d1f6b60-6d1f6b8b call 6d1fed90 1256->1259 1261 6d1f6169-6d1f61ec 1257->1261 1262 6d1f6160-6d1f6163 1257->1262 1258->1256 1272 6d1f6b8d-6d1f6b96 call 6d24ad60 1259->1272 1273 6d1f6b9b-6d1f6bf2 call 6d228b70 * 2 1259->1273 1266 6d1f6c14-6d1f6c19 call 6d24c2e0 1261->1266 1267 6d1f61f2-6d1f61fc 1261->1267 1262->1261 1265 6d1f6216-6d1f621c 1262->1265 1274 6d1f6c0a-6d1f6c0f call 6d24c2e0 1265->1274 1275 6d1f6222-6d1f63bc call 6d247ed0 call 6d216bb0 call 6d217410 call 6d217100 call 6d217410 * 3 call 6d217230 call 6d217410 call 6d216c10 call 6d24c47a 1265->1275 1266->1219 1270 6d1f620f-6d1f6211 1267->1270 1271 6d1f61fe-6d1f620a 1267->1271 1277 6d1f6132-6d1f613e 1270->1277 1271->1277 1272->1273 1288 6d1f6bf4-6d1f6bfa 1273->1288 1289 6d1f6c03-6d1f6c09 1273->1289 1274->1266 1308 6d1f645e-6d1f6461 1275->1308 1277->1257 1288->1289 1290 6d1f6bfc 1288->1290 1290->1289 1309 6d1f64e7-6d1f6690 call 6d216bb0 call 6d217410 call 6d216c10 call 6d250830 * 4 call 6d24c476 1308->1309 1310 6d1f6467-6d1f6484 1308->1310 1345 6d1f6717-6d1f671a 1309->1345 1312 6d1f648a-6d1f64e2 call 6d216bb0 call 6d217410 call 6d216c10 1310->1312 1313 6d1f63c1-6d1f6457 call 6d1f80a0 call 6d247ed0 call 6d216bb0 call 6d217410 call 6d216c10 1310->1313 1312->1313 1313->1308 1346 6d1f67c0-6d1f6a5a call 6d2509b0 * 2 call 6d216bb0 call 6d217410 call 6d217100 call 6d217410 call 6d217100 call 6d217410 call 6d217100 call 6d217410 call 6d217100 call 6d217410 call 6d217100 call 6d217410 call 6d217100 call 6d217410 call 6d217230 call 6d217410 call 6d216c10 1345->1346 1347 6d1f6720-6d1f6744 1345->1347 1413 6d1f6a7c-6d1f6aad call 6d216bb0 call 6d216db0 call 6d216c10 1346->1413 1414 6d1f6a5c-6d1f6a77 call 6d216bb0 call 6d217410 call 6d216c10 1346->1414 1348 6d1f674b-6d1f6779 call 6d216bb0 call 6d217410 call 6d216c10 1347->1348 1349 6d1f6746-6d1f6749 1347->1349 1357 6d1f6695-6d1f6716 call 6d1f80a0 call 6d247ed0 call 6d216bb0 call 6d217410 call 6d216c10 1348->1357 1349->1348 1351 6d1f677e-6d1f6780 1349->1351 1356 6d1f6786-6d1f67bb call 6d216bb0 call 6d217410 call 6d216c10 1351->1356 1351->1357 1356->1357 1357->1345 1413->1240 1426 6d1f6aaf-6d1f6aba call 6d1ea700 1413->1426 1414->1413 1426->1240
    Strings
    • , xrefs: 6D1F606A
    • +:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08, xrefs: 6D1F64A4, 6D1F678B
    • 5, xrefs: 6D1F6C27
    • non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo, xrefs: 6D1F6C1E
    • ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid, xrefs: 6D1F68DC
    • gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= , xrefs: 6D1F5ABA
    • MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=, xrefs: 6D1F699C
    • @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12, xrefs: 6D1F62C7
    • gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma, xrefs: 6D1F629A
    • ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE, xrefs: 6D1F64EC
    • MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 6D1F6A06
    • failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 6D1F6C34
    • gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6D1F6C4A
    • ., xrefs: 6D1F61FE
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=$ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid$+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08$.$5$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= $non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo
    • API String ID: 0-2575422049
    • Opcode ID: 342dd9400cde94f92d12bfed6c9bd387fb91e64bcc7688d68823794cebb0edb9
    • Instruction ID: 584f9581c347cb91cabc99be3055a11421313008ce773e66435f35d3c7f9396a
    • Opcode Fuzzy Hash: 342dd9400cde94f92d12bfed6c9bd387fb91e64bcc7688d68823794cebb0edb9
    • Instruction Fuzzy Hash: 72B20674A0D345DFC764EF28C590B9ABBF5FB8A304F01892ED98987350DB74A845CB92
    Function 6D2093F0 Relevance: 16.9, Strings: 13, Instructions: 643COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1428 6d2093f0-6d209402 1429 6d209f94-6d209f99 call 6d24ae50 1428->1429 1430 6d209408-6d209450 1428->1430 1429->1428 1432 6d209476-6d20947d 1430->1432 1434 6d209483-6d2094ed 1432->1434 1435 6d20957b-6d209581 1432->1435 1436 6d2094f3-6d2094f5 1434->1436 1437 6d209f8c-6d209f93 call 6d24c320 1434->1437 1438 6d209587-6d2095b3 call 6d20c5d0 1435->1438 1439 6d2097f9-6d209800 call 6d24c2f0 1435->1439 1441 6d209f85-6d209f87 call 6d24c340 1436->1441 1442 6d2094fb-6d209545 1436->1442 1437->1429 1451 6d209621-6d209631 1438->1451 1452 6d2095b5-6d209620 call 6d209360 1438->1452 1447 6d209805-6d20980c 1439->1447 1441->1437 1448 6d209552-6d209556 1442->1448 1449 6d209547-6d209550 1442->1449 1453 6d209810-6d209812 1447->1453 1454 6d209558-6d209576 1448->1454 1449->1454 1455 6d2097f4 call 6d24c2e0 1451->1455 1456 6d209637-6d209648 1451->1456 1457 6d209818 1453->1457 1458 6d2099fd 1453->1458 1454->1453 1455->1439 1462 6d2097e1-6d2097e9 1456->1462 1463 6d20964e-6d209653 1456->1463 1464 6d209f7e-6d209f80 call 6d24c2e0 1457->1464 1465 6d20981e-6d20984c 1457->1465 1461 6d209a01-6d209a0a 1458->1461 1467 6d209a10-6d209a16 1461->1467 1468 6d209d72-6d209de0 call 6d209360 1461->1468 1462->1455 1469 6d2097c6-6d2097d6 1463->1469 1470 6d209659-6d209666 1463->1470 1464->1441 1472 6d209856-6d2098af 1465->1472 1473 6d20984e-6d209854 1465->1473 1475 6d209d53-6d209d71 1467->1475 1476 6d209a1c-6d209a26 1467->1476 1489 6d209ee5-6d209eeb 1468->1489 1469->1462 1477 6d2097b8-6d2097c1 1470->1477 1478 6d20966c-6d2097b3 call 6d216bb0 call 6d217410 call 6d217230 call 6d217410 call 6d217230 call 6d217410 call 6d217100 call 6d217410 call 6d217100 call 6d217410 call 6d217100 call 6d217410 call 6d216c10 call 6d216bb0 call 6d217410 call 6d217100 call 6d216db0 call 6d216c10 call 6d246a90 1470->1478 1485 6d2098b1-6d2098bd 1472->1485 1486 6d2098bf-6d2098c8 1472->1486 1473->1447 1481 6d209a41-6d209a55 1476->1481 1482 6d209a28-6d209a3f 1476->1482 1478->1477 1487 6d209a5c 1481->1487 1482->1487 1490 6d2098ce-6d2098e0 1485->1490 1486->1490 1493 6d209a71-6d209a91 1487->1493 1494 6d209a5e-6d209a6f 1487->1494 1491 6d209f68-6d209f79 call 6d246a90 1489->1491 1492 6d209eed-6d209f02 1489->1492 1498 6d2098e6-6d2098eb 1490->1498 1499 6d2099c8-6d2099ca 1490->1499 1491->1464 1496 6d209f04-6d209f09 1492->1496 1497 6d209f0b-6d209f1d 1492->1497 1501 6d209a98 1493->1501 1494->1501 1503 6d209f1f 1496->1503 1497->1503 1506 6d2098f4-6d209908 1498->1506 1507 6d2098ed-6d2098f2 1498->1507 1504 6d2099e2 1499->1504 1505 6d2099cc-6d2099e0 1499->1505 1508 6d209aa1-6d209aa4 1501->1508 1509 6d209a9a-6d209a9f 1501->1509 1514 6d209f21-6d209f26 1503->1514 1515 6d209f28-6d209f40 1503->1515 1513 6d2099e6-6d2099fb 1504->1513 1505->1513 1516 6d20990f-6d209911 1506->1516 1507->1516 1511 6d209aaa-6d209d4e call 6d216bb0 call 6d217410 call 6d217230 call 6d217410 call 6d217230 call 6d217410 call 6d217100 call 6d217410 call 6d217100 call 6d217410 call 6d217100 call 6d216db0 call 6d216c10 call 6d216bb0 call 6d217410 call 6d217230 call 6d217410 call 6d217100 call 6d217410 call 6d217230 call 6d216db0 call 6d216c10 call 6d216bb0 call 6d217410 call 6d2172a0 call 6d217410 call 6d217230 call 6d216db0 call 6d216c10 call 6d216bb0 call 6d217410 call 6d217100 call 6d217410 call 6d217100 call 6d216db0 call 6d216c10 1508->1511 1509->1511 1511->1489 1513->1461 1519 6d209f42-6d209f4e 1514->1519 1515->1519 1520 6d209452-6d20946f 1516->1520 1521 6d209917-6d209919 1516->1521 1524 6d209f50-6d209f55 1519->1524 1525 6d209f5a-6d209f5d 1519->1525 1520->1432 1526 6d209922-6d20993d 1521->1526 1527 6d20991b-6d209920 1521->1527 1525->1491 1531 6d2099a7-6d2099c3 1526->1531 1532 6d20993f-6d209944 1526->1532 1530 6d20994b 1527->1530 1535 6d20994d-6d20995c 1530->1535 1536 6d20995e-6d20996d 1530->1536 1531->1447 1532->1530 1539 6d209970-6d2099a2 1535->1539 1536->1539 1539->1447
    Strings
    • runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard , xrefs: 6D209C5B
    • , npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar, xrefs: 6D209BD7
    • ][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C, xrefs: 6D2096A4, 6D209AED
    • , i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc, xrefs: 6D209C88
    • ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc, xrefs: 6D2096CD
    • runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer, xrefs: 6D20976B
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D2097A2, 6D209F68
    • runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6D209CE8
    • , levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:, xrefs: 6D209D15
    • , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST, xrefs: 6D2096F7, 6D209721, 6D209B44, 6D209B6E
    • ] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt, xrefs: 6D209B1A
    • runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D20967A, 6D209AB3
    • , j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu, xrefs: 6D209C04
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu$, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:$, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar$] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt$] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc$][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-566501290
    • Opcode ID: d0ed0918d51e71e91c495d5688aa394179066e8bc07df5053558d80891056060
    • Instruction ID: 698e315284140d937ae08c29a583985ced66dcf7f21f30680b6400af9d3c1565
    • Opcode Fuzzy Hash: d0ed0918d51e71e91c495d5688aa394179066e8bc07df5053558d80891056060
    • Instruction Fuzzy Hash: AA523475A5C3198FD320DF68C480B5EBBF5BF89308F05892DEA9997340DB74A844CB92
    Function 6D211570 Relevance: 16.4, Strings: 13, Instructions: 150COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1788 6d211570-6d21157e 1789 6d211584-6d2115b6 call 6d2132a0 1788->1789 1790 6d21181e-6d211823 call 6d24ae50 1788->1790 1795 6d211807-6d21181d call 6d246a90 1789->1795 1796 6d2115bc-6d2115ea call 6d211470 1789->1796 1790->1788 1795->1790 1801 6d2115fc-6d211631 call 6d2132a0 1796->1801 1802 6d2115ec-6d2115f9 call 6d24c270 1796->1802 1807 6d2117f1-6d211802 call 6d246a90 1801->1807 1808 6d211637-6d211669 call 6d211470 1801->1808 1802->1801 1807->1795 1812 6d21167b-6d211683 1808->1812 1813 6d21166b-6d211678 call 6d24c270 1808->1813 1814 6d211689-6d2116bb call 6d211470 1812->1814 1815 6d21172d-6d21175f call 6d211470 1812->1815 1813->1812 1824 6d2116cd-6d2116d5 1814->1824 1825 6d2116bd-6d2116ca call 6d24c270 1814->1825 1822 6d211771-6d2117a9 call 6d211470 1815->1822 1823 6d211761-6d21176e call 6d24c270 1815->1823 1836 6d2117bb-6d2117c4 1822->1836 1837 6d2117ab-6d2117b8 call 6d24c270 1822->1837 1823->1822 1829 6d2117db-6d2117ec call 6d246a90 1824->1829 1830 6d2116db-6d21170d call 6d211470 1824->1830 1825->1824 1829->1807 1840 6d21171f-6d211727 1830->1840 1841 6d21170f-6d21171c call 6d24c270 1830->1841 1837->1836 1840->1815 1842 6d2117c5-6d2117d6 call 6d246a90 1840->1842 1841->1840 1842->1829
    Strings
    • , xrefs: 6D2116A2
    • NtCancelWaitCompletionPacket, xrefs: 6D2116E2
    • , xrefs: 6D21169A
    • ProcessPrng, xrefs: 6D2115BF
    • NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no , xrefs: 6D2117C5
    • ntdll.dll, xrefs: 6D211608
    • RtlGetVersion, xrefs: 6D21177E
    • bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible , xrefs: 6D211807
    • bcryptprimitives.dll, xrefs: 6D21158D
    • NtAssociateWaitCompletionPacket, xrefs: 6D211690
    • P, xrefs: 6D2117E4
    • RtlGetCurrentPeb, xrefs: 6D211734
    • NtCreateWaitCompletionPacket, xrefs: 6D21163E
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $NtAssociateWaitCompletionPacket$NtCancelWaitCompletionPacket$NtCreateWaitCompletionPacket$NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no $P$ProcessPrng$RtlGetCurrentPeb$RtlGetVersion$bcryptprimitives.dll$bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible $ntdll.dll
    • API String ID: 0-2332038095
    • Opcode ID: 52c791dc50504ddc00ea0e9383277f9110fff9dac1314fd28f871b45f9750186
    • Instruction ID: 4fa4634d4858f4eabbd989a537ea97cd1ec9e1877a1631be8977c15a3729cccd
    • Opcode Fuzzy Hash: 52c791dc50504ddc00ea0e9383277f9110fff9dac1314fd28f871b45f9750186
    • Instruction Fuzzy Hash: 8C71F3B4549706AFDB04DF68C594B5ABBF0BF9A748F01C82DE99887340D7749888CF52
    Function 6D203400 Relevance: 14.6, Strings: 11, Instructions: 876COMMON
    Download Yara Rule
    Strings
    • mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 6D2041A9
    • sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto, xrefs: 6D203C4F
    • nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1SafetyDogFindCloseLo, xrefs: 6D203D81
    • previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 6D203DAB
    • mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 6D203D16
    • sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket, xrefs: 6D203CB8, 6D20412C
    • mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea, xrefs: 6D20418A
    • , xrefs: 6D203E12
    • swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D203C65
    • sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket, xrefs: 6D203E09
    • mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D203CE2, 6D204156
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1SafetyDogFindCloseLo$ previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$ sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-450365003
    • Opcode ID: ef3cb454f0a54f08adac40d2c6fc5842a86a8cb198d88e36b6f85f641c7ee84f
    • Instruction ID: 1d42946919edcb80f3f88ca2e99d43310cdff109a945a3487afb41c5b5c5276a
    • Opcode Fuzzy Hash: ef3cb454f0a54f08adac40d2c6fc5842a86a8cb198d88e36b6f85f641c7ee84f
    • Instruction Fuzzy Hash: 158246B464C3598FC355DF28C080B6ABBF1BF89708F41896DE9C88B391E7749945CB92
    Function 6D212A90 Relevance: 14.0, Strings: 11, Instructions: 253COMMON
    Download Yara Rule
    Strings
    • runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte, xrefs: 6D212E47, 6D212EA2
    • runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b, xrefs: 6D212F31
    • runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 6D212D95
    • VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec, xrefs: 6D212DC9
    • %, xrefs: 6D212F3A
    • runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr, xrefs: 6D212DEC
    • bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi, xrefs: 6D212D6E
    • NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor, xrefs: 6D212E20
    • ,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12, xrefs: 6D212D29
    • CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet, xrefs: 6D212E7B, 6D212ED6
    • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi, xrefs: 6D212EFD
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: %$,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet$NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte$runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
    • API String ID: 0-2809656213
    • Opcode ID: 6079a601660f8ab4a630850196ef7f0edead6c25df00bf253219e4caf09d40f7
    • Instruction ID: 1cc40ba33aaf19ddff7ff4eb857366c12221bb880340fd390fd494564f6c6478
    • Opcode Fuzzy Hash: 6079a601660f8ab4a630850196ef7f0edead6c25df00bf253219e4caf09d40f7
    • Instruction Fuzzy Hash: 1AC1E3B464D30A8FD700EF68C59875ABBF4BF89709F01C96CE6988B340D7759948CB52
    Function 6D1E13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 9da484a11bfad4e0c326527615c7dda81aca00b8ee410099c1789cfd7c7968cf
    • Instruction ID: 89a178da9a6302013e25ebcae1861eb00f6a4a38965070ccec38dffa1bb9d967
    • Opcode Fuzzy Hash: 9da484a11bfad4e0c326527615c7dda81aca00b8ee410099c1789cfd7c7968cf
    • Instruction Fuzzy Hash: FD011EB58497149BC720BF79960A31EBEF8BF42795F01452DD88897309D7705484CBA3
    Function 6D24332F Relevance: 12.0, Strings: 9, Instructions: 757COMMON
    Download Yara Rule
    Strings
    • malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo, xrefs: 6D243D31
    • mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential, xrefs: 6D243D47
    • 2, xrefs: 6D243D50
    • 4, xrefs: 6D243D0E
    • p, xrefs: 6D243D5E
    • mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 6D243D05
    • !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 6D2436FF
    • malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty, xrefs: 6D243D1B
    • 3-, xrefs: 6D243D58
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$2$4$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo$malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $3-$p
    • API String ID: 0-234616912
    • Opcode ID: d21636e442b75dc62c68c6592568ef972a9394594b6260c32ccf82aef6bfca9c
    • Instruction ID: 4b1a3e7bdbd3de2619e1879ef725685a703993c35d1c7e95b646f93088ba1c38
    • Opcode Fuzzy Hash: d21636e442b75dc62c68c6592568ef972a9394594b6260c32ccf82aef6bfca9c
    • Instruction Fuzzy Hash: 4962AD7068835A8FC308DF29C090A6ABBF1BF89714F15C96DE9948B391D775D885CF82
    Function 6D25CEF0 Relevance: 10.8, Strings: 8, Instructions: 756COMMON
    Download Yara Rule
    Strings
    • $, xrefs: 6D25D66D
    • y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KS, xrefs: 6D25D1C5
    • pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps, xrefs: 6D25D785
    • n, xrefs: 6D25D1B1
    • invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa, xrefs: 6D25D663
    • invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p, xrefs: 6D25CF75, 6D25D068, 6D25D138, 6D25D6F4, 6D25D816, 6D25D8A7, 6D25D938, 6D25D9CD
    • !, xrefs: 6D25D0EC
    • v, xrefs: 6D25D025
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$$$invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa$invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p$n$pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps$v$y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KS
    • API String ID: 0-3686076665
    • Opcode ID: 75f0395e53c2b68537376044aebfb608b33cce135941cdc5503c2c02a536b040
    • Instruction ID: 23aab0c6f68f21abb6a98d54fedc97e05ed14164ba375d8ba27a2a5a0f6ed4d1
    • Opcode Fuzzy Hash: 75f0395e53c2b68537376044aebfb608b33cce135941cdc5503c2c02a536b040
    • Instruction Fuzzy Hash: BB7214B494834A8FC714DF68C180B5AFBF1BBC9704F54892DE9A887350DB74A948CF92
    Function 6D262560 Relevance: 10.5, Strings: 7, Instructions: 1779COMMON
    Download Yara Rule
    Strings
    • %!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1SafetyDogFindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutin, xrefs: 6D263FD9, 6D2642BB
    • 0, xrefs: 6D263150
    • )]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+, xrefs: 6D263BE4, 6D263EAF, 6D263FF3, 6D2642D5
    • %!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamec, xrefs: 6D263BCA, 6D263E95
    • 0, xrefs: 6D263344
    • 0, xrefs: 6D263267
    • 0, xrefs: 6D2630B1
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: %!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1SafetyDogFindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutin$%!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamec$)]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+$0$0$0$0
    • API String ID: 0-1887530876
    • Opcode ID: 5f0865cbfe63a073fd93a9789988e6dba21af2f035d53e853aa03ef85a01ba1e
    • Instruction ID: a8467a872a5235bb151e1e4b9c768b866fbac844ec6186471c0ab28112b26136
    • Opcode Fuzzy Hash: 5f0865cbfe63a073fd93a9789988e6dba21af2f035d53e853aa03ef85a01ba1e
    • Instruction Fuzzy Hash: 5A03E5B4A4D3868FC329CF18C09069EF7E1BFC9304F15892EE99997351D770A985CB92
    Function 6D235ED0 Relevance: 10.5, Strings: 8, Instructions: 512COMMON
    Download Yara Rule
    Strings
    • , xrefs: 6D236031
    • pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace, xrefs: 6D236593
    • (1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID, xrefs: 6D236320
    • non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard , xrefs: 6D2366C5
    • sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us, xrefs: 6D236566
    • , xrefs: 6D236039
    • fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit, xrefs: 6D236539
    • :(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I, xrefs: 6D2363FD
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $ fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit$ pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace$ sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us$(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID$:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I$non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard
    • API String ID: 0-3830612415
    • Opcode ID: 2635e36f98637983cd00f9e72c533f6a67f2e9aa98d07233461da9d645d61677
    • Instruction ID: 18bf94c7992df9ef60b4e2409a169a8988d1249d73b1cb8c44467063ab8c542d
    • Opcode Fuzzy Hash: 2635e36f98637983cd00f9e72c533f6a67f2e9aa98d07233461da9d645d61677
    • Instruction Fuzzy Hash: 2232C1B464C3958FC365DF25C580B9FBBE5ABC9305F02882EEAC897351D734A845CB92
    Function 6D211A70 Relevance: 8.9, Strings: 7, Instructions: 116COMMON
    Download Yara Rule
    Strings
    • timeBeginPeriod, xrefs: 6D211B29
    • runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta, xrefs: 6D211BD9
    • timeEndPeriod, xrefs: 6D211B73
    • timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 6D211C0D
    • runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co, xrefs: 6D211C34
    • winmm.dll, xrefs: 6D211AF3
    • &, xrefs: 6D211C3D
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: &$runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta$runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co$timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$timeBeginPeriod$timeEndPeriod$winmm.dll
    • API String ID: 0-424793872
    • Opcode ID: 683cb8ab8e4f1b61ce40e7103c172a66b1b3b1af8e1880fa8b3cd33a23cec6fe
    • Instruction ID: fe8b2399bd27e01ee394bb065ae2ec5b4556fb375767af93ae7f86390f8a1c20
    • Opcode Fuzzy Hash: 683cb8ab8e4f1b61ce40e7103c172a66b1b3b1af8e1880fa8b3cd33a23cec6fe
    • Instruction Fuzzy Hash: 7751C4B064D30A9FD704EF68C59475ABBF4BF99709F01C82DE69887340DB749588CB92
    Function 6D275B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessagefprintf
    • String ID: Erro: %s
    • API String ID: 659079672-2412703935
    • Opcode ID: 25fee8ff75e86694acfb33ac2de16f146b621d4aaf8d82f6bcc6bdeb4ca0c295
    • Instruction ID: cc32b6f296940d2640b5a1335144eb8552e40d9da9714e9e76697c42e79eefe0
    • Opcode Fuzzy Hash: 25fee8ff75e86694acfb33ac2de16f146b621d4aaf8d82f6bcc6bdeb4ca0c295
    • Instruction Fuzzy Hash: 71014DB48083019FE700EF68C59971AFBF4AB88749F01891DE99896254D7798289CF93
    Function 6D21CF90 Relevance: 8.6, Strings: 6, Instructions: 1093COMMON
    Download Yara Rule
    Strings
    • findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a, xrefs: 6D21E0A9
    • findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina, xrefs: 6D21E0BF
    • !, xrefs: 6D21E0DE
    • global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz, xrefs: 6D21E093
    • findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi, xrefs: 6D21E0EB
    • findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r, xrefs: 6D21E0D5
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz
    • API String ID: 0-3518981815
    • Opcode ID: fe82a800749aa8e39f03e957152adbb0dcd1a2d04bf0b5574ba1f4474a5229a8
    • Instruction ID: e3bb46217b5b5964d5a8726c01d5334f10b10b9087ac2dfdbbd345d5886b4572
    • Opcode Fuzzy Hash: fe82a800749aa8e39f03e957152adbb0dcd1a2d04bf0b5574ba1f4474a5229a8
    • Instruction Fuzzy Hash: F1A2D17468D3469FD724DF68C490B6ABBF1BF89744F01882DEA9887380EB75D844CB52
    Function 6D2111F0 Relevance: 7.6, Strings: 6, Instructions: 133COMMON
    Download Yara Rule
    Strings
    • runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy, xrefs: 6D21139D, 6D2113F8, 6D21144B
    • runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not , xrefs: 6D211417
    • 5, xrefs: 6D211420
    • runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar, xrefs: 6D211369
    • d, xrefs: 6D211276
    • runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe, xrefs: 6D2113C4
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 5$d$runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar$runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not $runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe$runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy
    • API String ID: 0-2414937731
    • Opcode ID: 67e885504d59872c12b3dcb89cc01e98d3ba1a2e81c96f058f823e0a55aa287c
    • Instruction ID: cd95aac08b541ea60ca3d794bcbbad604ec9aecefd313aee1621946a32957c3b
    • Opcode Fuzzy Hash: 67e885504d59872c12b3dcb89cc01e98d3ba1a2e81c96f058f823e0a55aa287c
    • Instruction Fuzzy Hash: A451BBB464D7099FD740EF28C49475EBBF4AF89709F01C82DEA9887350D7749988CBA2
    Function 6D276300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D27634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D27635F
    • GetCurrentProcess.KERNEL32 ref: 6D276368
    • TerminateProcess.KERNEL32 ref: 6D276379
    • abort.MSVCRT ref: 6D276382
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 52aa3a10f5e335fb6b337cbe4ad963f49e4b0664e650a6ac7233bb066f46fd3a
    • Instruction ID: d9fb9a1c0b86e76e26a391615bcb126500f49f3c2a5750c4ba49102661ccccfd
    • Opcode Fuzzy Hash: 52aa3a10f5e335fb6b337cbe4ad963f49e4b0664e650a6ac7233bb066f46fd3a
    • Instruction Fuzzy Hash: F311D7B5904306AFDB00FF69C14975A7BF4FB4A345F008569E948D7350EB389988CF92
    Function 6D276250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6D276289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D1E13B9), ref: 6D27629A
    • GetCurrentThreadId.KERNEL32 ref: 6D2762A2
    • GetTickCount.KERNEL32 ref: 6D2762AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D1E13B9), ref: 6D2762B9
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 8302bfbc64c6ac8cd3f7fa9ca051df3e4b9810fae56f17e968c2aef27b255015
    • Instruction ID: 3fa816299ec6d278619394ca9f9229d9065516973bb4629fa89c14ba3acf704a
    • Opcode Fuzzy Hash: 8302bfbc64c6ac8cd3f7fa9ca051df3e4b9810fae56f17e968c2aef27b255015
    • Instruction Fuzzy Hash: CF1151B55053018FDB10EF79D48864BBBF9FB89256F054D39E444C6210EB35D488C792
    Function 6D2762FC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D27634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D27635F
    • GetCurrentProcess.KERNEL32 ref: 6D276368
    • TerminateProcess.KERNEL32 ref: 6D276379
    • abort.MSVCRT ref: 6D276382
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 6d54203270e80b0cb41704076adff198107b1b22304f454e00e49df60e2e7300
    • Instruction ID: 00546e70c03dbc9b1499c1595c26e29a6ff8dfd468f5533982abbd4b71ac3c8a
    • Opcode Fuzzy Hash: 6d54203270e80b0cb41704076adff198107b1b22304f454e00e49df60e2e7300
    • Instruction Fuzzy Hash: 3011F3B5804206AFDB00FF69C2497697BF8FB06305F008568E948D7340EB389988CF92
    Function 6D201440 Relevance: 5.5, Strings: 4, Instructions: 494COMMON
    Download Yara Rule
    Strings
    • min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce, xrefs: 6D201A0F
    • !, xrefs: 6D201A18
    • runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti, xrefs: 6D20198C, 6D2019DB
    • min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW, xrefs: 6D2019C0
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce$min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW$runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti
    • API String ID: 0-967014423
    • Opcode ID: a0e5725d6dd3a44c916ad8967d6224493dcd3b8e1a5217dd3dfbe9c46765d1ba
    • Instruction ID: 3dcfe5c1d9058636b6d764d8a9175d25f03e959cca4ed60e3a7368d43d62d65f
    • Opcode Fuzzy Hash: a0e5725d6dd3a44c916ad8967d6224493dcd3b8e1a5217dd3dfbe9c46765d1ba
    • Instruction Fuzzy Hash: FDF1E33668D32A8FD306DE98C4C061EB7E2BBC8348F15893CD994DB385EB719845C6C2
    Function 6D21A320 Relevance: 5.4, Strings: 4, Instructions: 352COMMON
    Download Yara Rule
    Strings
    • stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a , xrefs: 6D21A843
    • stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many, xrefs: 6D21A7B0
    • stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met, xrefs: 6D21A7EB
    • stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl, xrefs: 6D21A690
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met$stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a $stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many$stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl
    • API String ID: 0-2039697367
    • Opcode ID: 8b717361952d3c4db79029ace6a210f1e121c012679a8992c3584690ec64f2da
    • Instruction ID: 65f0557e753feea568851636b750d041fd57672d2bb668c4193b43f3ab68615b
    • Opcode Fuzzy Hash: 8b717361952d3c4db79029ace6a210f1e121c012679a8992c3584690ec64f2da
    • Instruction Fuzzy Hash: AFF1F274A4D3459FC308CF69C190A6ABBF1BF89704F51892EEA9887351D770D949CF42
    Function 6D211830 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$'$PowerRegisterSuspendResumeNotification$powrprof.dll
    • API String ID: 0-4026319467
    • Opcode ID: 13e09fe2f0310754414b28eb81df6623723b3fa836ef882ecc76b5d0ba7c0872
    • Instruction ID: 711e8cff16f44d528be5426652181f51dd842e1ef3aa357aed77f58f842fc7d4
    • Opcode Fuzzy Hash: 13e09fe2f0310754414b28eb81df6623723b3fa836ef882ecc76b5d0ba7c0872
    • Instruction Fuzzy Hash: 3321BAB460C3069FD704DF25C094B5ABBE0BB89758F40C82DE99887240E7799A88CF92
    Function 6D226470 Relevance: 4.2, Strings: 3, Instructions: 451COMMON
    Download Yara Rule
    Strings
    • runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern, xrefs: 6D226A04
    • runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add, xrefs: 6D2269D7
    • <, xrefs: 6D226A0D
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: <$runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add$runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern
    • API String ID: 0-450027851
    • Opcode ID: 833e7e1bf34f265b0efc21403a78ecb3cd5c44e933d28d8f7da00a05e881f67e
    • Instruction ID: 4c81ffea3b45bfba3a4f13ba163fcdda19b8b0d087da73285e8cdf46dee31a4b
    • Opcode Fuzzy Hash: 833e7e1bf34f265b0efc21403a78ecb3cd5c44e933d28d8f7da00a05e881f67e
    • Instruction Fuzzy Hash: 89025971A4C70A8FC714CF69C19061ABBE2BFC8705F15892DE9998B350EB71E845CB82
    Function 6D216010 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
    Download Yara Rule
    Strings
    • ', xrefs: 6D2164AC
    • suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support, xrefs: 6D2164A3
    • invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro, xrefs: 6D21648D
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support
    • API String ID: 0-3278438963
    • Opcode ID: a299ebee35e5009002d27b0418fde19ae7e45041e87885aad7eac5b191cca29c
    • Instruction ID: ed19adc8054c074be68260960c7f97fd5400b7521eb8647ff84036c129de347c
    • Opcode Fuzzy Hash: a299ebee35e5009002d27b0418fde19ae7e45041e87885aad7eac5b191cca29c
    • Instruction Fuzzy Hash: 33D1317428D3568FC705CF29C490A2EBBF2AF8A709F45886DEAC587351D735E944CB82
    Function 6D206630 Relevance: 3.0, Strings: 2, Instructions: 499COMMON
    Download Yara Rule
    Strings
    • grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 6D206D4E
    • +, xrefs: 6D206D57
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: +$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
    • API String ID: 0-3347251187
    • Opcode ID: 0297b7eadeb26d8366d47a64570ff88d53ab0dec1829c0e37c69295b828bb780
    • Instruction ID: d34eaa65352b9e482f8056461473911863427e4ec29b0e91621ebbe6caabace1
    • Opcode Fuzzy Hash: 0297b7eadeb26d8366d47a64570ff88d53ab0dec1829c0e37c69295b828bb780
    • Instruction Fuzzy Hash: 5322DF7464C34A9FC354DF29C190A6ABBF1BF89745F05892DE9D887350DB35E888CB82
    Function 6D20B2D0 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
    Download Yara Rule
    Strings
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D20B60F
    • @, xrefs: 6D20B4FB
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
    • API String ID: 0-1191861649
    • Opcode ID: 48e601ef5c43faa4d99fd50721b1b2e893dd89de88ae4e607299971eb784fd00
    • Instruction ID: c6623edc9fd5b79352b0e5a0f28299419a12119ce57aff85809669705e9f964a
    • Opcode Fuzzy Hash: 48e601ef5c43faa4d99fd50721b1b2e893dd89de88ae4e607299971eb784fd00
    • Instruction Fuzzy Hash: 4EA1D17564871A8FC308CF18C88065AB7E1FFC8314F45CA2DE9999B341DB34E94ACB82
    Function 6D24A872 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $@
    • API String ID: 0-1077428164
    • Opcode ID: e52145faca93d1eca5eb624aafff8dc4f848bd4652eb2773a9ccb583bdbccb69
    • Instruction ID: 67fff7ad9ce7f46296a3958719e01773b61d5070dca5935ba7376ff036b61efd
    • Opcode Fuzzy Hash: e52145faca93d1eca5eb624aafff8dc4f848bd4652eb2773a9ccb583bdbccb69
    • Instruction Fuzzy Hash: 0451A320C1CF5B65E7331ABDC4026667B20AEB3144B01D76FFDD6B54B2EB176940BA22
    Function 6D1FCEC0 Relevance: 2.6, Strings: 2, Instructions: 88COMMON
    Download Yara Rule
    Strings
    • ,, xrefs: 6D1FCFAA
    • gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu, xrefs: 6D1FCFA1
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu
    • API String ID: 0-27675022
    • Opcode ID: 85b680ce7c24dd924acef28a214520ab90f34995db9bdfe7b87b856de8cb0396
    • Instruction ID: 6b6fe618e20bc7bca030ea3774a0f73a7c5a73d8c0db8c15535fc19a06bdc60d
    • Opcode Fuzzy Hash: 85b680ce7c24dd924acef28a214520ab90f34995db9bdfe7b87b856de8cb0396
    • Instruction Fuzzy Hash: D8318175A493568FD305DF14C490A69B7F1BB86608F0985BDDD484F387DB31A84ACBC1
    Function 6D2659D0 Relevance: 1.9, Strings: 1, Instructions: 607COMMON
    Download Yara Rule
    Strings
    • ,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePoint, xrefs: 6D265B6E
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePoint
    • API String ID: 0-1364986362
    • Opcode ID: e0cca7863d32f4e164725f172789904d837a7b504f9cd8c1b8e26fc4ea65a2fe
    • Instruction ID: 611d52e88630ba3416734154564720493aa213afa2cddc1f74bd06c72e0d8900
    • Opcode Fuzzy Hash: e0cca7863d32f4e164725f172789904d837a7b504f9cd8c1b8e26fc4ea65a2fe
    • Instruction Fuzzy Hash: 745217B5A083898FD338CF19C59039FFBE1ABC5304F45892DDAD897381E7B599448B92
    Function 6D238570 Relevance: 1.8, Strings: 1, Instructions: 543COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 4
    • API String ID: 0-4088798008
    • Opcode ID: 6c6f006c3165d007fd5038c63f92e79ae67e72a5be304f7cb18e5b58c60ef9c2
    • Instruction ID: 0fa921c0215a3e500cdf837b584346d4579814e145bc560d02943e956c23abcc
    • Opcode Fuzzy Hash: 6c6f006c3165d007fd5038c63f92e79ae67e72a5be304f7cb18e5b58c60ef9c2
    • Instruction Fuzzy Hash: 9F22D0B564D35A8BC724DF28C4C4A6EF7E1AFC5304F168A2DD9998B351DB31A805CB82
    Function 6D1F0AF0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
    Download Yara Rule
    Strings
    • span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor, xrefs: 6D1F0D52
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor
    • API String ID: 0-1712010102
    • Opcode ID: da28b67df934a6a383908f577c1d4b9da2960342f8255cfc894a782ed1a98ee9
    • Instruction ID: 369c09c0c5825c9675511c9fcedff48e85f2f0d9fea2ea2750922e07dbfde9b2
    • Opcode Fuzzy Hash: da28b67df934a6a383908f577c1d4b9da2960342f8255cfc894a782ed1a98ee9
    • Instruction Fuzzy Hash: 40D152B464C3499FC704DF29C090A2ABBE0BF89748F01896EF9D98B345E775D946CB42
    Function 6D20D040 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
    Download Yara Rule
    Strings
    • runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin, xrefs: 6D20D3CB
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin
    • API String ID: 0-429552053
    • Opcode ID: 39945c3849948616bd2c963749ac198cda07fae7c7be1fdf0fa45646615ed274
    • Instruction ID: 65b01b1666bacc77aa74bea283a6058757776d982e851c3526a2a52048f09c2a
    • Opcode Fuzzy Hash: 39945c3849948616bd2c963749ac198cda07fae7c7be1fdf0fa45646615ed274
    • Instruction Fuzzy Hash: ECB1D378A4930A9FC704DF68C58092ABBF1BFC9744F42892DE99487751EB34E945CF82
    Function 6D2695A0 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ;
    • API String ID: 0-1661535913
    • Opcode ID: cf05eb2f4b3406c8e1d238a0aa465d700732d17d8ea8256966041028e5098247
    • Instruction ID: 3a66b7f58a3cd016cc5396bb325a704fd0128eb0cf15f9fb2d0dbace84735cd9
    • Opcode Fuzzy Hash: cf05eb2f4b3406c8e1d238a0aa465d700732d17d8ea8256966041028e5098247
    • Instruction Fuzzy Hash: 5DA17171B083054FC70CDF6DD99531ABAE6ABC8304F05CA3DE589CB7A4E634D9098B86
    Function 6D20A360 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: 4dda17549d82e19f9628bc28af1166d663fddd9cd64618b461112aae67892d7d
    • Instruction ID: a1206ebd21c55a38ef3b6a44d1a775cc92a336983aa37906598630c4599e2b5b
    • Opcode Fuzzy Hash: 4dda17549d82e19f9628bc28af1166d663fddd9cd64618b461112aae67892d7d
    • Instruction Fuzzy Hash: A19122B5A593099FC344CF28C080A5ABBE1FF89744F81992DE99897341E735D985CF82
    Function 6D25E740 Relevance: .9, Instructions: 941COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 587a21fe7aa5cec56273c2d94f9b58847a029360e533ca6345368a997134a6b5
    • Instruction ID: 143f47a8e7ba7e2b00119803cf7a5573bb3821e6f87a2c5879dc7ea86ac8aa3e
    • Opcode Fuzzy Hash: 587a21fe7aa5cec56273c2d94f9b58847a029360e533ca6345368a997134a6b5
    • Instruction Fuzzy Hash: A2824D75A583598BC728CF09C490B9AF3F2BBCD301F55892ED69AD3350E770A915CB82
    Function 6D266C20 Relevance: .6, Instructions: 601COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4318e73299a7402a8aceff829af987767735d66ea1321447e90865e6f91a6a5e
    • Instruction ID: a26c61578d10b541aeb8056bc5a33b9dba07ac04930dea781594dad1d7a2f80a
    • Opcode Fuzzy Hash: 4318e73299a7402a8aceff829af987767735d66ea1321447e90865e6f91a6a5e
    • Instruction Fuzzy Hash: 8F22B071A9C78A8FC324CF69C4D076BB7E2BBC5305F41C87DD98587240EB7198898B92
    Function 6D264D20 Relevance: .5, Instructions: 530COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0c58166ba2d6da66eabff61d4af7c7851a78b06a00cbef5b7c6cfa35dbfd611d
    • Instruction ID: 94d7f26ee43016bedcc0a7719336e874ba8c28025f5bc73e8f2396c3395295a5
    • Opcode Fuzzy Hash: 0c58166ba2d6da66eabff61d4af7c7851a78b06a00cbef5b7c6cfa35dbfd611d
    • Instruction Fuzzy Hash: F712BB72A487498FC314DE6DC98024AF7E6BBC4304F55CA3DD9988B355EB70E949CB82
    Function 6D20C080 Relevance: .5, Instructions: 477COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e031f9238d2ca08fd5d4dd70784d31e77362256f3d4efb819ffbf093314448fa
    • Instruction ID: 5d488df342339484495181adfda86c42b5ecad491d92503e6a20df1fcd72832f
    • Opcode Fuzzy Hash: e031f9238d2ca08fd5d4dd70784d31e77362256f3d4efb819ffbf093314448fa
    • Instruction Fuzzy Hash: B1E13673B9971A4FD319DDAC88C025EB2D2ABC8744F09863CDD649B380FA75DC0A96D1
    Function 6D23BC20 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7e055a93e420d843bc45e6a50cc863996d7843084bf2e076d672b8d3ceed75d2
    • Instruction ID: 49c512b9db9a1592374461f385a08bddc7251f9f5b9684d8de2b96c796a745ac
    • Opcode Fuzzy Hash: 7e055a93e420d843bc45e6a50cc863996d7843084bf2e076d672b8d3ceed75d2
    • Instruction Fuzzy Hash: 5C028F7564C36A8FC324CF68C480A1EB7E1BF89704F56893DE9998B351D730E905DB92
    Function 6D20BB10 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d0e06c000bcd368673f113269873a3565fa1271e66c0e680d0a48fe04f881968
    • Instruction ID: 4c07525345e42507a56d24d5099b67b5ee4495c4d0cda47144e4be70c76e4d7e
    • Opcode Fuzzy Hash: d0e06c000bcd368673f113269873a3565fa1271e66c0e680d0a48fe04f881968
    • Instruction Fuzzy Hash: BEE1B533E2472907D3149E58CC80249B6D3ABC8670F4EC73DDD959B781EAB4ED5986C2
    Function 6D266740 Relevance: .4, Instructions: 408COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d6d14b58390c1ffd39adb7d2285d1e76ee0fd56b5ff117753c73def7d7f63c66
    • Instruction ID: 6b6e16c8c494b7aeeba4c3cd94865c433e58203fc2e8e9d68fe175ced556438f
    • Opcode Fuzzy Hash: d6d14b58390c1ffd39adb7d2285d1e76ee0fd56b5ff117753c73def7d7f63c66
    • Instruction Fuzzy Hash: C8E1C472A9C39A8BC305CF25849021FBBE2BBC5706F45C9ADE9918B341D771D849CBD2
    Function 6D1F80A0 Relevance: .4, Instructions: 378COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 01ea397c511ae41c79707be9a427c7c6ed81f709138a99c504d1ab6d86dd7616
    • Instruction ID: 7d6870d6de9fd4b6cf5ca991133e20fcd3368a094cc2f06a962078b43b811052
    • Opcode Fuzzy Hash: 01ea397c511ae41c79707be9a427c7c6ed81f709138a99c504d1ab6d86dd7616
    • Instruction Fuzzy Hash: 11C1D472B083164FC709DE6DC89061EB7E2ABC8304F49863CE955DB3A5E7B4EC068781
    Function 6D23D6E0 Relevance: .4, Instructions: 368COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 33825de9f9770dc4e0941f342db924a3cd60e305e9716be00f3d8640fcb908b3
    • Instruction ID: 363f603d1672e9a0e3bae24f5c772379edad43b14e21ab5c2fdbbad97f3c3817
    • Opcode Fuzzy Hash: 33825de9f9770dc4e0941f342db924a3cd60e305e9716be00f3d8640fcb908b3
    • Instruction Fuzzy Hash: 18E1907564C36A8FC315CF29C4D092AFBE1AFCA204F05897DE9958B392D730E945CB92
    Function 6D21E240 Relevance: .3, Instructions: 331COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 30c83024be99eec062a92ba333e770a2d543e381f07dca6a79e1ef896d7334fa
    • Instruction ID: 067ad9d6466d55d74bdffd13f182e8ddb9e528315032fee1d88d33113a555ff3
    • Opcode Fuzzy Hash: 30c83024be99eec062a92ba333e770a2d543e381f07dca6a79e1ef896d7334fa
    • Instruction Fuzzy Hash: 6CF1EF74A4C3958FC364CF29C490B5BBBE2BBC9304F54892EEAD887351DB31A845CB52
    Function 6D272E70 Relevance: .3, Instructions: 286COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d7b18c97eb22bce79512eed41578c450884768773413f839417edb465bfa8d4a
    • Instruction ID: 088a1fb7915f70fa465f998a18e0b3d98815f454571c1503fe8fe8bbc6de2819
    • Opcode Fuzzy Hash: d7b18c97eb22bce79512eed41578c450884768773413f839417edb465bfa8d4a
    • Instruction Fuzzy Hash: 4FC1617060432A4FC351CE5EDCC0A6A73D1AB4821DF91867D9A448F7C3DA3AF46B97A4
    Function 6D273230 Relevance: .3, Instructions: 286COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 920f9fa82136215bc644f029787155ba88f6482863f4b2493e389c6061e8ab55
    • Instruction ID: 84c98c5813fe43892ce45cd4a99d7ccf999bac4306b33fbd052f131a9637ea2e
    • Opcode Fuzzy Hash: 920f9fa82136215bc644f029787155ba88f6482863f4b2493e389c6061e8ab55
    • Instruction Fuzzy Hash: 90C1617060432A4FC251CE5EDCC0A6A73D1AB4821DF91867D9A448F7C3DA3AF46B96A4
    Function 6D20C6D0 Relevance: .3, Instructions: 285COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 55159abaa99c1a65475548d44116c0a82cdd53cf855358a189c2fe8f763807e9
    • Instruction ID: 654447c8cde46c00379a842e620d8bff6c0044196b7e459002eeb5e562aa4790
    • Opcode Fuzzy Hash: 55159abaa99c1a65475548d44116c0a82cdd53cf855358a189c2fe8f763807e9
    • Instruction Fuzzy Hash: 7291667268971A4FC31ADE9CC4D052EB3E2FBC8744F55873CD9690B380EB719909C691
    Function 6D20CA30 Relevance: .3, Instructions: 281COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0f0a2832901c1d52ee2022006b52a3099f408240e947db540ca62398b30413ea
    • Instruction ID: 6b7edc2927f2731b3baba1ad9b39d239610dffe211f348396b28e4e7e932771f
    • Opcode Fuzzy Hash: 0f0a2832901c1d52ee2022006b52a3099f408240e947db540ca62398b30413ea
    • Instruction Fuzzy Hash: 1F81477768873E4FD316CEA888D065E3292ABC8718F09863CDD708B3C1FBB1980592D1
    Function 6D20AD50 Relevance: .3, Instructions: 276COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 124c9cf62abbcbdbefc7c73b17428f57d836f0bf3449cb4da93bc4fb72eb4cb6
    • Instruction ID: 33cf490359d671af178a1ab11403e97f1556d2439dd12f37712ee99f05a96441
    • Opcode Fuzzy Hash: 124c9cf62abbcbdbefc7c73b17428f57d836f0bf3449cb4da93bc4fb72eb4cb6
    • Instruction Fuzzy Hash: 9091D776A187194BD304DE59CCC0659B3E2BBC8324F49C63CEDA89B345E674EE49CB81
    Function 6D1E32A0 Relevance: .2, Instructions: 219COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aeb35e4d5c0583117b41203e6ea7d4611ac0cc9814d0ec54de9f2d9aa79797e6
    • Instruction ID: 1fb35dd3331ea0330c35ba2823073778ec437a1e68a9e086ada881257e561edf
    • Opcode Fuzzy Hash: aeb35e4d5c0583117b41203e6ea7d4611ac0cc9814d0ec54de9f2d9aa79797e6
    • Instruction Fuzzy Hash: 5D81F8B2A187108FC314DF29D88095AF7E2BFC9748F46892DF988D7315E771E9158B82
    Function 6D209030 Relevance: .2, Instructions: 193COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2bc7bef500a5900f3716418d760276e4172c363e5d79d241b648007617bf3cad
    • Instruction ID: 61b6c65f7783518eb98f39059d9da9c01fc578f0072a6a5234de6af12f579a5b
    • Opcode Fuzzy Hash: 2bc7bef500a5900f3716418d760276e4172c363e5d79d241b648007617bf3cad
    • Instruction Fuzzy Hash: EA91BBB4A493459FC308DF28C090A1ABBF1FF89748F418A6EE99997351D730E945CF46
    Function 6D1E2CA6 Relevance: .2, Instructions: 161COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aaac1fa95927537056fa748d1ed80cb4c36531cfe69fe86e380ee050db7f54d2
    • Instruction ID: 0da7200be79d29892b3f755e310d070732b9031f74d250ea9b25f49b312cf532
    • Opcode Fuzzy Hash: aaac1fa95927537056fa748d1ed80cb4c36531cfe69fe86e380ee050db7f54d2
    • Instruction Fuzzy Hash: 9751667090C3A44AE3158F6F48D402AFFE16FC6341F884A6EF5E443392D5B89515DB6A
    Function 6D1E2CA0 Relevance: .2, Instructions: 160COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5965cf9d052c85f5287a0fc848d5858a8dbdf7b94c64c27d01392e9efdd4e0f1
    • Instruction ID: 6f4325e31a11edaa5ae2fc81c7052e8726f1518d295d600c2c83d2019bd48596
    • Opcode Fuzzy Hash: 5965cf9d052c85f5287a0fc848d5858a8dbdf7b94c64c27d01392e9efdd4e0f1
    • Instruction Fuzzy Hash: 1E51763090C3A44AE3158F6F48D402AFFF16FCA301F884A6EF5E443392D5B89515DBAA
    Function 6D20D9C5 Relevance: .1, Instructions: 134COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: edc6b4b3884e6ef5d3358a446244ad6ff15749e5e4fbdc0c4b413403109f1dfb
    • Instruction ID: f649c492d19b791a5ca3f2373e31b4f7e18fae6c7c3a9088939cc48d120249b9
    • Opcode Fuzzy Hash: edc6b4b3884e6ef5d3358a446244ad6ff15749e5e4fbdc0c4b413403109f1dfb
    • Instruction Fuzzy Hash: 2C516BB564A3268FC318DF69C490A1AB7E0FF88604F0589BDED599B391D731E845CBC2
    Function 6D1EBE90 Relevance: .1, Instructions: 116COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f21d2bd92460e9580ed94769d15fe942447703848ec9a4f16d473aa87b463e64
    • Instruction ID: 3bab41332b2b70a11847131954f8bf2f7384b84dfb880cdf162945079deeda9d
    • Opcode Fuzzy Hash: f21d2bd92460e9580ed94769d15fe942447703848ec9a4f16d473aa87b463e64
    • Instruction Fuzzy Hash: 9241C374908F058FC346DE79C49031AB7E2BFD6384F54872DE95A6B352EB719882CA42
    Function 6D1EFBC0 Relevance: .1, Instructions: 97COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 26fa138c3f2bfc6ae846e9549a72792f793fc7f5d4fb7060899f1c01d4709b14
    • Instruction ID: 367d56c3c75ddf8dd03f218cecac879e414742e089b169d2a569bbf1cd9d5681
    • Opcode Fuzzy Hash: 26fa138c3f2bfc6ae846e9549a72792f793fc7f5d4fb7060899f1c01d4709b14
    • Instruction Fuzzy Hash: 1631637381971D8BD300AF499C40159F7E2ABD0B20F5E8A5EDDA417701DBB0AA15CBC7
    Function 6D1E90F0 Relevance: .1, Instructions: 76COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2ed7a373806fca73a0c5aef97407a85b7d240bb52832e660ee0bb5fe2ce66a7a
    • Instruction ID: 20878c1a39af17c22eec3fc1c72d95f0022525d493fa73154e731839ec994c26
    • Opcode Fuzzy Hash: 2ed7a373806fca73a0c5aef97407a85b7d240bb52832e660ee0bb5fe2ce66a7a
    • Instruction Fuzzy Hash: F821F2317042128BDB0CCF39C8F0226B7F3ABCA710B4A882CD455C77A8DAB4A849C746
    Function 6D211C90 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a597b840f6e669b6ffc3e99f7d0204ac012a0c1dd5713fffe21481e3adb1005f
    • Instruction ID: dff525b2955533183084fd13f81b3f8729e944f41e29c2f90ee61d5bd71e3437
    • Opcode Fuzzy Hash: a597b840f6e669b6ffc3e99f7d0204ac012a0c1dd5713fffe21481e3adb1005f
    • Instruction Fuzzy Hash: E3118B7064C24A9FD70ACF20C4A0BA9B7F5BF96708F40886CD6954B790C7399888CB52
    Function 6D247280 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 75cb89b570febef448973a48ecdb59ceee2e6c418d9811251ccdb5d5499bfc48
    • Instruction ID: cb387e3b1289d228bfaddb1013de65ac018bde2d46790bb615265ebc288e7b0e
    • Opcode Fuzzy Hash: 75cb89b570febef448973a48ecdb59ceee2e6c418d9811251ccdb5d5499bfc48
    • Instruction Fuzzy Hash: A2112DB4600B108FC398DF59C0D4E65B3E1FB8D200B4A85BDDB0E8B766C670A855DB85
    Function 6D24C0C0 Relevance: .0, Instructions: 10COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 93dcd87ec6e0dd97ad807693b75d1112eef3cd7171af0f4afc554e2d5af3ede1
    • Instruction ID: 9d3bc8d9df33c838aa5d9319b5aace7c56af68959a754fb9a8a9f444009007f4
    • Opcode Fuzzy Hash: 93dcd87ec6e0dd97ad807693b75d1112eef3cd7171af0f4afc554e2d5af3ede1
    • Instruction Fuzzy Hash: 7DC08CF08AA357ADF708CB2CC140306BEF09B81700F80C088E54843200C338C188A604
    Function 6D275E79 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • ;, xrefs: 6D275F18
    • unexpected cgo_bindm on Windows, xrefs: 6D275EA4
    • runtime: failed to signal runtime initialization complete., xrefs: 6D275F2C
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabortfwrite$Event
    • String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
    • API String ID: 3057923235-924395932
    • Opcode ID: accdb57dde2aa6cb43f26218bc2170e1fb41b02eb0dcba3262551e4a86c5c145
    • Instruction ID: b51dbbb6db9c7fdaf9be905cdf86059ca1ae864c7ba87fbb1d0c64aee7fd55b5
    • Opcode Fuzzy Hash: accdb57dde2aa6cb43f26218bc2170e1fb41b02eb0dcba3262551e4a86c5c145
    • Instruction Fuzzy Hash: 711195B58083459FDB10BF78C10D36EBAF4FB46309F41896CE98597241DB7A5198CB93
    Function 6D1E1020 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6D1E12E0,?,?,?,?,?,?,6D1E13A3), ref: 6D1E1057
    • _amsg_exit.MSVCRT ref: 6D1E1085
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID: c'm
    • API String ID: 1015461914-2282281871
    • Opcode ID: c9be4d7a4c2982426798195e3e8b33f9baf0f62aea93e314c76a9e04c2e752af
    • Instruction ID: 949a924ed7a50c8ede4b054d8070194504be1ae46a50c292258d4d0e448b3f18
    • Opcode Fuzzy Hash: c9be4d7a4c2982426798195e3e8b33f9baf0f62aea93e314c76a9e04c2e752af
    • Instruction Fuzzy Hash: A641A2B1A09645DFEB11AF6DC98471ABBF8FB92384F41C52DD544CB208DBB994C4CB82
    Function 6D2764A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • Address %p has no image-section, xrefs: 6D2765DB
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6D2765C7
    • VirtualProtect failed with code 0x%x, xrefs: 6D27659A
    • @, xrefs: 6D276578
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: ecee2cf33bcf465aa4bd8a1695fbfd33f5029dd800c439f043964eb6c85f9998
    • Instruction ID: f268bc8f3317df6b0525cd97fcc2b3512c6228328b39cf186ec1d837da8fa1ef
    • Opcode Fuzzy Hash: ecee2cf33bcf465aa4bd8a1695fbfd33f5029dd800c439f043964eb6c85f9998
    • Instruction Fuzzy Hash: 46418AB69443069FC720EF69D8C4A5AFBF4FB85315F01CA29E9589B218E734E444CBD2
    Function 6D274AF0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: 48155007f92fcc230adaa6282cb97c6dd293364e79463af2242444660cbba986
    • Instruction ID: dbb6a1335a8083179d145df79417b11c101b3122e3e814d0236725f0a0c3ed54
    • Opcode Fuzzy Hash: 48155007f92fcc230adaa6282cb97c6dd293364e79463af2242444660cbba986
    • Instruction Fuzzy Hash: CD51D176A483198FD720DF29D48066AF7E5FBC8305F05893EE988D7200E775D94ACB92
    Function 6D275CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6D275CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D275D89), ref: 6D275CEB
    • fwrite.MSVCRT ref: 6D275D20
    • abort.MSVCRT ref: 6D275D25
    Strings
    • =, xrefs: 6D275D05
    • runtime: failed to create runtime initialization wait event., xrefs: 6D275D19
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: 86e12355961edc318647d88560b70c0c798bbd2c0546ed9ed2167a55406e901b
    • Instruction ID: 30ea1a780bd585206ca59283a5119c99d247958a55349ad698d60b1fa646e768
    • Opcode Fuzzy Hash: 86e12355961edc318647d88560b70c0c798bbd2c0546ed9ed2167a55406e901b
    • Instruction Fuzzy Hash: E7F0CDB14043029FE710BF64C51932ABAF4EB41345F81886CD89496240DB7D9088CB53
    Function 6D27655C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32 ref: 6D27652D
    • VirtualProtect.KERNEL32 ref: 6D276587
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D3253A8), ref: 6D276594
      • Part of subcall function 6D277220: fwrite.MSVCRT ref: 6D27724F
      • Part of subcall function 6D277220: vfprintf.MSVCRT ref: 6D27726F
      • Part of subcall function 6D277220: abort.MSVCRT ref: 6D277274
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$@
    • API String ID: 1616349570-2953866262
    • Opcode ID: c6613ebf8b13ab69f50fbabe3c87a2b0696240ffdd03740587b5b2054f0c96cd
    • Instruction ID: 9cd20e2a9f24001cb04060dafae46bbc9da17ab4be97aabcf98c69918df1c55a
    • Opcode Fuzzy Hash: c6613ebf8b13ab69f50fbabe3c87a2b0696240ffdd03740587b5b2054f0c96cd
    • Instruction Fuzzy Hash: 3F2139B69443069FD760EF28C884659FBF0FF45315F01CA29D99897268E734D544CB92
    Function 6D274D00 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6D274D5F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6D275BEF), ref: 6D274D9A
    • malloc.MSVCRT ref: 6D274DC8
    • qsort.MSVCRT ref: 6D274E16
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: e2b99572bf0d9bcf1e3bdcb43c0a0ce46541b5fb3fb4092d4db74b25a93583c5
    • Instruction ID: 9fa21b5e3a5112ce9b27a8beb01e6ac9b69e933f6a79de617cb85b54f3ac35a6
    • Opcode Fuzzy Hash: e2b99572bf0d9bcf1e3bdcb43c0a0ce46541b5fb3fb4092d4db74b25a93583c5
    • Instruction Fuzzy Hash: B34145756483068FD730DF29D480A2ABBF5FF88315F05896DE8898B314E775E849CB92
    Function 6D275850 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: f85daaf16c200f7ccbbf0e44015664d00cf8f799c543567e6e6cf6897f027090
    • Instruction ID: 61c9b51c8b68c8241830758f4383c8603bd81c1c6805ecec5236ca48634dedae
    • Opcode Fuzzy Hash: f85daaf16c200f7ccbbf0e44015664d00cf8f799c543567e6e6cf6897f027090
    • Instruction Fuzzy Hash: EC21B931658309CFD720EF38C844A66B7F5BF4A314F558938E5A9CB280EB35E845CB52
    Function 6D2770C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: eee9cf211cacf692e5634495a5ecc4549fe59900537d0fdfb11d1f8e98f2fb20
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: F0115E709982068FE7309F68C88076A7BE4FF85354F158A69E498CB385EB74D840CB92
    Function 6D275DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6D275E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D2745D9), ref: 6D275E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D2745D9), ref: 6D275E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D2745D9), ref: 6D275E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D2745D9), ref: 6D275E50
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 98be021ecf15803845c553815af1e19375ea3ea9fe28d494fc62bed43ccd71a5
    • Instruction ID: 246e62a5711562a4af0d1f99321489e1af6e07641dfcb780e0f8edafaa89db79
    • Opcode Fuzzy Hash: 98be021ecf15803845c553815af1e19375ea3ea9fe28d494fc62bed43ccd71a5
    • Instruction Fuzzy Hash: 2E015275504309DFDB10FF79D98951AFBF8EF42214F414529D99447240DB3AA46CCB93
    Function 6D277220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6D277248
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: 567884ae79a1d7d7a076df70d9b316edeaccc31b6c1042f1277989321e446905
    • Instruction ID: c1f6c3bf7abc80c4bb6a416455c0655e2865561c01f5a6f7dd89d4fabdbaa5e4
    • Opcode Fuzzy Hash: 567884ae79a1d7d7a076df70d9b316edeaccc31b6c1042f1277989321e446905
    • Instruction Fuzzy Hash: E1E0C2B088C3089ED320AF64C08565EBAE4FF89348F02C92CE1D847245C7788484CB93
    Function 6D2765F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D1E12A5), ref: 6D276709
    Strings
    • Unknown pseudo relocation bit size %d., xrefs: 6D276799
    • Unknown pseudo relocation protocol version %d., xrefs: 6D276864
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: d1fdbdd4d68aa39a09b85b2610ae43b59470fd0cb2e916aa28eb431cbb241a2b
    • Instruction ID: 7aa7f618bf6eafb79bf5c02d6333459f53041df83687e8d30dae3b2cbaac87b7
    • Opcode Fuzzy Hash: d1fdbdd4d68aa39a09b85b2610ae43b59470fd0cb2e916aa28eb431cbb241a2b
    • Instruction Fuzzy Hash: 54610434E4420A9FCB70DFA8C4C0769B7B6FF8531AF508529D9149B308D775AA46CBC2
    Function 6D275BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: bsearchfprintffwrite
    • String ID: $
    • API String ID: 1110293247-3993045852
    • Opcode ID: d691d613d3fb448683ca2553735132ce4b7f86a7474e4e2d5848e95f79663a1d
    • Instruction ID: d1639e49f665114e6f40ce3cfd34bd551aed633c293ceb632fc8617380d821c8
    • Opcode Fuzzy Hash: d691d613d3fb448683ca2553735132ce4b7f86a7474e4e2d5848e95f79663a1d
    • Instruction Fuzzy Hash: A20117B489C315CBD720AF28944826AFBE0FF48318F46892DE8C897240E3758440CB63
    Function 6D274E50 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: d97af89b28aa6937671491ea2f61d4a768579569bf8108e9f8de27327a571fe9
    • Instruction ID: d6ceca21ded268396afe95879296e169d00dfc58778791d41fc23ee7038f7d0e
    • Opcode Fuzzy Hash: d97af89b28aa6937671491ea2f61d4a768579569bf8108e9f8de27327a571fe9
    • Instruction Fuzzy Hash: 5221E7B5A047128BDB20EF25D1C471ABBE5BF88215F15C96DE8998B309D734D845CB82
    Function 6D276870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1545226155.000000006D1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1E0000, based on PE: true
    • Associated: 00000003.00000002.1545206165.000000006D1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545308722.000000006D278000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545329674.000000006D279000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545351406.000000006D27A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545374531.000000006D27F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545445999.000000006D328000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D32E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545466803.000000006D333000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545511561.000000006D346000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545534060.000000006D34D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545553037.000000006D34E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1545571755.000000006D351000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d1e0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 1f123590dc12cb239e824d57c477e389fbae8109a8623d34fca2d243820ed03a
    • Instruction ID: c57d7c819eb4b2c98e4a4deea6ea9180568d1aa0a2de47519ee62a97b8b73479
    • Opcode Fuzzy Hash: 1f123590dc12cb239e824d57c477e389fbae8109a8623d34fca2d243820ed03a
    • Instruction Fuzzy Hash: 1DF0A47590030A9FDB20BF7CC8C9A6A7BB8EA45295B054568DD8497205EB34E45CCBE3

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:11
    Total number of Limit Nodes:1
    execution_graph 52887 6d00cea0 52888 6d00cec8 WriteFile 52887->52888 52889 6d00ceb9 52887->52889 52889->52888 52890 6d035fb0 52891 6d035fc7 _beginthread 52890->52891 52892 6d036012 52891->52892 52893 6d035fe1 _errno 52891->52893 52894 6d036020 Sleep 52893->52894 52895 6d035fe8 _errno 52893->52895 52894->52891 52896 6d036034 52894->52896 52897 6d035ff9 fprintf abort 52895->52897 52896->52895 52897->52892

    Executed Functions

    Function 6D035FB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6D035FF9
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabortfprintf
    • String ID: runtime: failed to create new OS thread (%d)
    • API String ID: 1261927973-3231778263
    • Opcode ID: 7cd95498feee0c905f0bba0d36ae1340b0e365a23b14351b335b859cec9dacb3
    • Instruction ID: c1ead3ccada2da2f0ed470e5155a0bcbc501a6e99d0b092ce82e472e01f8ac31
    • Opcode Fuzzy Hash: 7cd95498feee0c905f0bba0d36ae1340b0e365a23b14351b335b859cec9dacb3
    • Instruction Fuzzy Hash: 71016D74408326DFD7007F69D88872EBBF4EF86320F43492DE58583260C7709440DAA3
    Function 6D00CEA0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 6d00cea0-6d00ceb7 9 6d00cec8-6d00cee0 WriteFile 8->9 10 6d00ceb9-6d00cec6 8->10 10->9
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: cb090b5f4a9b1e7a49aa4cf414030b1464c0b68a7e1920abc975b6d50006655f
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 20E0E571505640CFDB15DF18C2C1316BBE1EB48A00F0485A8DE098F74AD734ED10CB92

    Non-executed Functions

    Function 6D036300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D03634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D03635F
    • GetCurrentProcess.KERNEL32 ref: 6D036368
    • TerminateProcess.KERNEL32 ref: 6D036379
    • abort.MSVCRT ref: 6D036382
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 8bbdd7b5e7ccf2e9f19f4092c3d1b57c2c2277c43577d621ff4e4b6e6af6d423
    • Instruction ID: a67e94563b746c6370d1cfabcec8790bf8254522009dd9206c8c0e17eae4e1f4
    • Opcode Fuzzy Hash: 8bbdd7b5e7ccf2e9f19f4092c3d1b57c2c2277c43577d621ff4e4b6e6af6d423
    • Instruction Fuzzy Hash: 4511A7B5904205DFDB00FF69D14576ABBF1BB45304F41852DE948C7351EBB49944CF92
    Function 6D0362FC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D03634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D03635F
    • GetCurrentProcess.KERNEL32 ref: 6D036368
    • TerminateProcess.KERNEL32 ref: 6D036379
    • abort.MSVCRT ref: 6D036382
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: fffcd914e8e1b426044f2e174771d88a6c0c3c36ec9adacb9cef2d30dce4006e
    • Instruction ID: 53119b6480ac0a0a169d27900350c3c1a13bb17561d6220408cd233a3aba47ec
    • Opcode Fuzzy Hash: fffcd914e8e1b426044f2e174771d88a6c0c3c36ec9adacb9cef2d30dce4006e
    • Instruction Fuzzy Hash: AD11B3B5804206DFDB00FF6AE149769BBF1BB06300F41862DE949C7341EBB49944CFA2
    Function 6D035E79 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to signal runtime initialization complete., xrefs: 6D035F2C
    • unexpected cgo_bindm on Windows, xrefs: 6D035EA4
    • ;, xrefs: 6D035F18
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabortfwrite$Event
    • String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
    • API String ID: 3057923235-924395932
    • Opcode ID: 2721269e3de2d76480f0faff15622f45258cbce2f55a655de858d99fcdfef448
    • Instruction ID: 712809af5921a4e76f4e7787d75ad322bed58c5b0b0e5da5a88d3dcbd4bc6e24
    • Opcode Fuzzy Hash: 2721269e3de2d76480f0faff15622f45258cbce2f55a655de858d99fcdfef448
    • Instruction Fuzzy Hash: 5811A4B5808251DFEB00BF79D10E32EBAF4BB45304F42891CE98597245DBB5A158CFA3
    Function 6D0364A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • @, xrefs: 6D036578
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6D0365C7
    • VirtualProtect failed with code 0x%x, xrefs: 6D03659A
    • Address %p has no image-section, xrefs: 6D0365DB
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 77d2dc340c2fc35b19a7868a9581fb4398634c0d0a7090f6aceaf62e6e5aa7f7
    • Instruction ID: b696e064027648769a617fdfa33ff20184ad7d797a66fa154bbb03f8f9993eb9
    • Opcode Fuzzy Hash: 77d2dc340c2fc35b19a7868a9581fb4398634c0d0a7090f6aceaf62e6e5aa7f7
    • Instruction Fuzzy Hash: 49415BB69043129FE700EF69E48571AFBF0FB85354F42CA2DE9589B215E770E444CBA2
    Function 6CFA13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: efba1bd71a6ec0eca683e222030f3244deedd536189898fad870fed811ad7372
    • Instruction ID: 89a64a7e3e0d8ea00a4646cd83330c200569ef8d03c25bcd1852658cf6ca7aae
    • Opcode Fuzzy Hash: efba1bd71a6ec0eca683e222030f3244deedd536189898fad870fed811ad7372
    • Instruction Fuzzy Hash: 3F011EB5809315DFD710BFBDA60A31EBEF8AB46755F02856DD88987200DB7094148BA3
    Function 6D034AF0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: 5d00aac3864163652111c7654a910e4bfe13d8c15166267f84e4bf8c8604f38b
    • Instruction ID: 4a202f2b2f46d8e159116b5a94e5ad29fbc43cab268ec21c630205a2171ea9a0
    • Opcode Fuzzy Hash: 5d00aac3864163652111c7654a910e4bfe13d8c15166267f84e4bf8c8604f38b
    • Instruction Fuzzy Hash: B751A6756083269FE740DF29D48036EB7E5FBC8304F46892EE998DB200E776D545CB92
    Function 6D036060 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 6D03606F
    • fwrite.MSVCRT ref: 6D0360BD
    • abort.MSVCRT ref: 6D0360C2
    • free.MSVCRT ref: 6D0360E5
      • Part of subcall function 6D035FB0: _beginthread.MSVCRT ref: 6D035FD6
      • Part of subcall function 6D035FB0: _errno.MSVCRT ref: 6D035FE1
      • Part of subcall function 6D035FB0: _errno.MSVCRT ref: 6D035FE8
      • Part of subcall function 6D035FB0: fprintf.MSVCRT ref: 6D036008
      • Part of subcall function 6D035FB0: abort.MSVCRT ref: 6D03600D
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
    • String ID: +$runtime/cgo: out of memory in thread_start
    • API String ID: 2633710936-1802439445
    • Opcode ID: 75dd01a5f585020ae9889190f4bf368c9797b307fdffa1664d2abc41ccbbde1c
    • Instruction ID: 080c21f5643f0c6f589d1f6837b82ea17421b464af088f8c008a40af83661f1b
    • Opcode Fuzzy Hash: 75dd01a5f585020ae9889190f4bf368c9797b307fdffa1664d2abc41ccbbde1c
    • Instruction Fuzzy Hash: CF21E5B4908711CFD700AF29D58461ABBF4FF89304F46899DEA888B326D3759840CF92
    Function 6D035CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6D035CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D035D89), ref: 6D035CEB
    • fwrite.MSVCRT ref: 6D035D20
    • abort.MSVCRT ref: 6D035D25
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6D035D19
    • =, xrefs: 6D035D05
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: d5814695b6e2310706c765d664f659c5d0456d0facb5657572edc2accf6461bc
    • Instruction ID: cd429b8d801458a45d7f3995882a738a6f52ca5a359ad12064133a92c707e2e1
    • Opcode Fuzzy Hash: d5814695b6e2310706c765d664f659c5d0456d0facb5657572edc2accf6461bc
    • Instruction Fuzzy Hash: 18F0C9B0808302DFE700BF69D51932EBAF4BB41344F82895CD8998A280DBB991548F53
    Function 6CFA1020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CFA12E0,?,?,?,?,?,?,6CFA13A3), ref: 6CFA1057
    • _amsg_exit.MSVCRT ref: 6CFA1085
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: 71652288e25ea94356bfb31c3fc80946343a508a208b376040852f1f08a509b1
    • Instruction ID: 6e6cce696cac4a4c4e2523a67f703d74fb86d61090955bc0406c3b95b5a81ebc
    • Opcode Fuzzy Hash: 71652288e25ea94356bfb31c3fc80946343a508a208b376040852f1f08a509b1
    • Instruction Fuzzy Hash: 6141AE72608244CBEB00AFAAD48470BB7F5FB82748F12CA2DD5548B644DBB5C482CB93
    Function 6D03655C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32 ref: 6D03652D
    • VirtualProtect.KERNEL32 ref: 6D036587
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D0E53A8), ref: 6D036594
      • Part of subcall function 6D037220: fwrite.MSVCRT ref: 6D03724F
      • Part of subcall function 6D037220: vfprintf.MSVCRT ref: 6D03726F
      • Part of subcall function 6D037220: abort.MSVCRT ref: 6D037274
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$@
    • API String ID: 1616349570-2953866262
    • Opcode ID: 97e8950c80a025038bc46adea240b935086222b01aab93ffd75b5efa5fcfac14
    • Instruction ID: 622bd31f76f5b4ee472783cda8cacefb0df26ddc880623f15539f764b0a347c8
    • Opcode Fuzzy Hash: 97e8950c80a025038bc46adea240b935086222b01aab93ffd75b5efa5fcfac14
    • Instruction Fuzzy Hash: 512114B68083128FE700EF29D489719BBF0FB84314F42CA2DE9989B258E770D5448B92
    Function 6D035B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessagefprintf
    • String ID: Erro: %s
    • API String ID: 659079672-2412703935
    • Opcode ID: bcfdcdd194f72bb31272ac1a187a012fb048e00b829f31681fb36db948dcd96f
    • Instruction ID: b6a68291f09893421d4b036f25f66c495346106cc4d8f18a42fe11ce7c78cd81
    • Opcode Fuzzy Hash: bcfdcdd194f72bb31272ac1a187a012fb048e00b829f31681fb36db948dcd96f
    • Instruction Fuzzy Hash: E1019DB4408302DFE700AF69D58831EBBF0BB98349F018A1DE8D896250D7B982488F93
    Function 6D034D00 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6D034D5F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6D035BEF), ref: 6D034D9A
    • malloc.MSVCRT ref: 6D034DC8
    • qsort.MSVCRT ref: 6D034E16
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: 8df4163c1fc56df463872578181824e63f056d19ec0bfe6c7dd83c01f7c575b4
    • Instruction ID: f3726d8690514ea81f2a2d049e8c89df5ebb6772147bff2e37417d3e0bb127bf
    • Opcode Fuzzy Hash: 8df4163c1fc56df463872578181824e63f056d19ec0bfe6c7dd83c01f7c575b4
    • Instruction Fuzzy Hash: FF415B75A083129FE710DF29D48072AB7F5FF88314F06892DE8898B714E775E854CB92
    Function 6D035850 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: 026d44420009034860c6988a266122c44096d6ebf819ff37147dc3d91f64ae33
    • Instruction ID: 641631b120be2bb29516fe888ebe434df9a58f96d35e7c31465bc85c418a0ae9
    • Opcode Fuzzy Hash: 026d44420009034860c6988a266122c44096d6ebf819ff37147dc3d91f64ae33
    • Instruction Fuzzy Hash: 2221D774614206CBE700EB39D84976677F0FF49314F468928E5A9CB290EB75E809CB52
    Function 6D0370C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: eecd00800fddf7e9ac07304e6d6ecf8701185e0e61bc8e8e3e00a2b8ebc2568d
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: CA115E71908222CFF7009F6CC88076A7BE4FF85354F568A69E598CB385EB74D840CB52
    Function 6D036250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6D036289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CFA13B9), ref: 6D03629A
    • GetCurrentThreadId.KERNEL32 ref: 6D0362A2
    • GetTickCount.KERNEL32 ref: 6D0362AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CFA13B9), ref: 6D0362B9
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 84505eafaae587b386f30304fc7ceb8dc26961244bfa2a11ecf8b91ad03ed1f8
    • Instruction ID: aa01ed1ba078856b66c40604cd81f5a3ca7421f915e61161451b3c7ef2a40690
    • Opcode Fuzzy Hash: 84505eafaae587b386f30304fc7ceb8dc26961244bfa2a11ecf8b91ad03ed1f8
    • Instruction Fuzzy Hash: B4115EB55053028BDB10EF79E48874BBBF5FB89254F464E39E444C7200EB31D9488B92
    Function 6D035DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6D035E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D0345D9), ref: 6D035E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D0345D9), ref: 6D035E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D0345D9), ref: 6D035E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D0345D9), ref: 6D035E50
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: b659e394d53e915b44db5ca1b153161ded35e8c1219786b967dcea9ff281f972
    • Instruction ID: 75bd92f05904712af5d1138305d126be69855629d33e2425f9a61e37eeca29ef
    • Opcode Fuzzy Hash: b659e394d53e915b44db5ca1b153161ded35e8c1219786b967dcea9ff281f972
    • Instruction Fuzzy Hash: F00175B5914305CFDB00FF7DE58961ABBF9AF46210F42052DD8904B254DBB1A568CFA3
    Function 6D037220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6D037248
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: b0844b673c652b9d01a816dead33ec162ec3093ae28a1c52970c96a58c67cd52
    • Instruction ID: f278134a0dbe02ea98288a5555501b065a245129d2abd9d6ae0bb38349695003
    • Opcode Fuzzy Hash: b0844b673c652b9d01a816dead33ec162ec3093ae28a1c52970c96a58c67cd52
    • Instruction Fuzzy Hash: EDE0AEB080C31ADEE300AF65C08531EBAE4AF88348F43891CE2C847251C77894848B63
    Function 6D0365F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CFA12A5), ref: 6D036709
    Strings
    • Unknown pseudo relocation protocol version %d., xrefs: 6D036864
    • Unknown pseudo relocation bit size %d., xrefs: 6D036799
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: 780b2633585ce91cc049221a9564f8a4a67b7f1483a874d214b6a7030a93a323
    • Instruction ID: 07d7daae529d722dc15c26c51d93214a2ef3219ed4e743c4ff9b9ba38db5cd85
    • Opcode Fuzzy Hash: 780b2633585ce91cc049221a9564f8a4a67b7f1483a874d214b6a7030a93a323
    • Instruction Fuzzy Hash: 0E61EF35A042278FEB00DFA8D4C0769B7B1FF85354B92CA2DD8459B306D3B0A8118BD2
    Function 6D035BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: bsearchfprintffwrite
    • String ID: $
    • API String ID: 1110293247-3993045852
    • Opcode ID: d3b8fe110cd33dd1b2988d4173d61a1a022aab9060be1ce692eb729da8693c73
    • Instruction ID: 6739c13200b01a4936a4b36870c4d26e59515aa09f16b680695747168f630984
    • Opcode Fuzzy Hash: d3b8fe110cd33dd1b2988d4173d61a1a022aab9060be1ce692eb729da8693c73
    • Instruction Fuzzy Hash: 8501C5B981C322DFE700AF69944936EBBE4AF48358F43896DE9C897241E775C440CB53
    Function 6D034E50 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: 3390865ff85d0b5f092ea770ccbfb8640d95086a12b6b7bb5e29a78f16f3254e
    • Instruction ID: a3a6bb79fca4a873a92eee24565d36daffe320853111629be77ac5dd8faf0526
    • Opcode Fuzzy Hash: 3390865ff85d0b5f092ea770ccbfb8640d95086a12b6b7bb5e29a78f16f3254e
    • Instruction Fuzzy Hash: A221E5B5A08212DBEB00EF25D1C471ABBE1BF88204F16C96CE8898F309D735D844CF82
    Function 6D036870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.1641855228.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 0000000D.00000002.1641736017.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642238941.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642361552.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642482495.000000006D03A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642595417.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1642969931.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643084610.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643308459.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643419931.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643531858.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1643638296.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 58f87414ffa2aec1ac285bc12c42cb409f9ecd809bde30b01f29ecc7ac57e513
    • Instruction ID: e16fa7c0565141f27c6a33359c7655fe2a698f7feadc23692463e87a80932af4
    • Opcode Fuzzy Hash: 58f87414ffa2aec1ac285bc12c42cb409f9ecd809bde30b01f29ecc7ac57e513
    • Instruction Fuzzy Hash: ACF044B59042168FEB007F6DD489A1ABBB4EE49350B06066CDD4497305EF70E559CBE3

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:11
    Total number of Limit Nodes:1
    execution_graph 52887 6d00cea0 52888 6d00cec8 VirtualAlloc 52887->52888 52889 6d00ceb9 52887->52889 52889->52888 52890 6d035fb0 52891 6d035fc7 _beginthread 52890->52891 52892 6d036012 52891->52892 52893 6d035fe1 _errno 52891->52893 52894 6d036020 Sleep 52893->52894 52895 6d035fe8 _errno 52893->52895 52894->52891 52896 6d036034 52894->52896 52897 6d035ff9 fprintf abort 52895->52897 52896->52895 52897->52892

    Executed Functions

    Function 6D035FB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6D035FF9
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabortfprintf
    • String ID: runtime: failed to create new OS thread (%d)
    • API String ID: 1261927973-3231778263
    • Opcode ID: 7cd95498feee0c905f0bba0d36ae1340b0e365a23b14351b335b859cec9dacb3
    • Instruction ID: c1ead3ccada2da2f0ed470e5155a0bcbc501a6e99d0b092ce82e472e01f8ac31
    • Opcode Fuzzy Hash: 7cd95498feee0c905f0bba0d36ae1340b0e365a23b14351b335b859cec9dacb3
    • Instruction Fuzzy Hash: 71016D74408326DFD7007F69D88872EBBF4EF86320F43492DE58583260C7709440DAA3
    Function 6D00CEA0 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 6d00cea0-6d00ceb7 9 6d00cec8-6d00cee0 VirtualAlloc 8->9 10 6d00ceb9-6d00cec6 8->10 10->9
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: cb090b5f4a9b1e7a49aa4cf414030b1464c0b68a7e1920abc975b6d50006655f
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 20E0E571505640CFDB15DF18C2C1316BBE1EB48A00F0485A8DE098F74AD734ED10CB92

    Non-executed Functions

    Function 6D036300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D03634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D03635F
    • GetCurrentProcess.KERNEL32 ref: 6D036368
    • TerminateProcess.KERNEL32 ref: 6D036379
    • abort.MSVCRT ref: 6D036382
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 8bbdd7b5e7ccf2e9f19f4092c3d1b57c2c2277c43577d621ff4e4b6e6af6d423
    • Instruction ID: a67e94563b746c6370d1cfabcec8790bf8254522009dd9206c8c0e17eae4e1f4
    • Opcode Fuzzy Hash: 8bbdd7b5e7ccf2e9f19f4092c3d1b57c2c2277c43577d621ff4e4b6e6af6d423
    • Instruction Fuzzy Hash: 4511A7B5904205DFDB00FF69D14576ABBF1BB45304F41852DE948C7351EBB49944CF92
    Function 6D0362FC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D03634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D03635F
    • GetCurrentProcess.KERNEL32 ref: 6D036368
    • TerminateProcess.KERNEL32 ref: 6D036379
    • abort.MSVCRT ref: 6D036382
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: fffcd914e8e1b426044f2e174771d88a6c0c3c36ec9adacb9cef2d30dce4006e
    • Instruction ID: 53119b6480ac0a0a169d27900350c3c1a13bb17561d6220408cd233a3aba47ec
    • Opcode Fuzzy Hash: fffcd914e8e1b426044f2e174771d88a6c0c3c36ec9adacb9cef2d30dce4006e
    • Instruction Fuzzy Hash: AD11B3B5804206DFDB00FF6AE149769BBF1BB06300F41862DE949C7341EBB49944CFA2
    Function 6D035E79 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • ;, xrefs: 6D035F18
    • unexpected cgo_bindm on Windows, xrefs: 6D035EA4
    • runtime: failed to signal runtime initialization complete., xrefs: 6D035F2C
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabortfwrite$Event
    • String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
    • API String ID: 3057923235-924395932
    • Opcode ID: 2721269e3de2d76480f0faff15622f45258cbce2f55a655de858d99fcdfef448
    • Instruction ID: 712809af5921a4e76f4e7787d75ad322bed58c5b0b0e5da5a88d3dcbd4bc6e24
    • Opcode Fuzzy Hash: 2721269e3de2d76480f0faff15622f45258cbce2f55a655de858d99fcdfef448
    • Instruction Fuzzy Hash: 5811A4B5808251DFEB00BF79D10E32EBAF4BB45304F42891CE98597245DBB5A158CFA3
    Function 6D0364A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • VirtualProtect failed with code 0x%x, xrefs: 6D03659A
    • @, xrefs: 6D036578
    • Address %p has no image-section, xrefs: 6D0365DB
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6D0365C7
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 77d2dc340c2fc35b19a7868a9581fb4398634c0d0a7090f6aceaf62e6e5aa7f7
    • Instruction ID: b696e064027648769a617fdfa33ff20184ad7d797a66fa154bbb03f8f9993eb9
    • Opcode Fuzzy Hash: 77d2dc340c2fc35b19a7868a9581fb4398634c0d0a7090f6aceaf62e6e5aa7f7
    • Instruction Fuzzy Hash: 49415BB69043129FE700EF69E48571AFBF0FB85354F42CA2DE9589B215E770E444CBA2
    Function 6CFA13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: efba1bd71a6ec0eca683e222030f3244deedd536189898fad870fed811ad7372
    • Instruction ID: 89a64a7e3e0d8ea00a4646cd83330c200569ef8d03c25bcd1852658cf6ca7aae
    • Opcode Fuzzy Hash: efba1bd71a6ec0eca683e222030f3244deedd536189898fad870fed811ad7372
    • Instruction Fuzzy Hash: 3F011EB5809315DFD710BFBDA60A31EBEF8AB46755F02856DD88987200DB7094148BA3
    Function 6D034AF0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: 5d00aac3864163652111c7654a910e4bfe13d8c15166267f84e4bf8c8604f38b
    • Instruction ID: 4a202f2b2f46d8e159116b5a94e5ad29fbc43cab268ec21c630205a2171ea9a0
    • Opcode Fuzzy Hash: 5d00aac3864163652111c7654a910e4bfe13d8c15166267f84e4bf8c8604f38b
    • Instruction Fuzzy Hash: B751A6756083269FE740DF29D48036EB7E5FBC8304F46892EE998DB200E776D545CB92
    Function 6D036060 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 6D03606F
    • fwrite.MSVCRT ref: 6D0360BD
    • abort.MSVCRT ref: 6D0360C2
    • free.MSVCRT ref: 6D0360E5
      • Part of subcall function 6D035FB0: _beginthread.MSVCRT ref: 6D035FD6
      • Part of subcall function 6D035FB0: _errno.MSVCRT ref: 6D035FE1
      • Part of subcall function 6D035FB0: _errno.MSVCRT ref: 6D035FE8
      • Part of subcall function 6D035FB0: fprintf.MSVCRT ref: 6D036008
      • Part of subcall function 6D035FB0: abort.MSVCRT ref: 6D03600D
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
    • String ID: +$runtime/cgo: out of memory in thread_start
    • API String ID: 2633710936-1802439445
    • Opcode ID: 75dd01a5f585020ae9889190f4bf368c9797b307fdffa1664d2abc41ccbbde1c
    • Instruction ID: 080c21f5643f0c6f589d1f6837b82ea17421b464af088f8c008a40af83661f1b
    • Opcode Fuzzy Hash: 75dd01a5f585020ae9889190f4bf368c9797b307fdffa1664d2abc41ccbbde1c
    • Instruction Fuzzy Hash: CF21E5B4908711CFD700AF29D58461ABBF4FF89304F46899DEA888B326D3759840CF92
    Function 6D035CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6D035CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D035D89), ref: 6D035CEB
    • fwrite.MSVCRT ref: 6D035D20
    • abort.MSVCRT ref: 6D035D25
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6D035D19
    • =, xrefs: 6D035D05
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: d5814695b6e2310706c765d664f659c5d0456d0facb5657572edc2accf6461bc
    • Instruction ID: cd429b8d801458a45d7f3995882a738a6f52ca5a359ad12064133a92c707e2e1
    • Opcode Fuzzy Hash: d5814695b6e2310706c765d664f659c5d0456d0facb5657572edc2accf6461bc
    • Instruction Fuzzy Hash: 18F0C9B0808302DFE700BF69D51932EBAF4BB41344F82895CD8998A280DBB991548F53
    Function 6CFA1020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CFA12E0,?,?,?,?,?,?,6CFA13A3), ref: 6CFA1057
    • _amsg_exit.MSVCRT ref: 6CFA1085
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: 71652288e25ea94356bfb31c3fc80946343a508a208b376040852f1f08a509b1
    • Instruction ID: 6e6cce696cac4a4c4e2523a67f703d74fb86d61090955bc0406c3b95b5a81ebc
    • Opcode Fuzzy Hash: 71652288e25ea94356bfb31c3fc80946343a508a208b376040852f1f08a509b1
    • Instruction Fuzzy Hash: 6141AE72608244CBEB00AFAAD48470BB7F5FB82748F12CA2DD5548B644DBB5C482CB93
    Function 6D03655C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32 ref: 6D03652D
    • VirtualProtect.KERNEL32 ref: 6D036587
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D0E53A8), ref: 6D036594
      • Part of subcall function 6D037220: fwrite.MSVCRT ref: 6D03724F
      • Part of subcall function 6D037220: vfprintf.MSVCRT ref: 6D03726F
      • Part of subcall function 6D037220: abort.MSVCRT ref: 6D037274
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$@
    • API String ID: 1616349570-2953866262
    • Opcode ID: 97e8950c80a025038bc46adea240b935086222b01aab93ffd75b5efa5fcfac14
    • Instruction ID: 622bd31f76f5b4ee472783cda8cacefb0df26ddc880623f15539f764b0a347c8
    • Opcode Fuzzy Hash: 97e8950c80a025038bc46adea240b935086222b01aab93ffd75b5efa5fcfac14
    • Instruction Fuzzy Hash: 512114B68083128FE700EF29D489719BBF0FB84314F42CA2DE9989B258E770D5448B92
    Function 6D035B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessagefprintf
    • String ID: Erro: %s
    • API String ID: 659079672-2412703935
    • Opcode ID: bcfdcdd194f72bb31272ac1a187a012fb048e00b829f31681fb36db948dcd96f
    • Instruction ID: b6a68291f09893421d4b036f25f66c495346106cc4d8f18a42fe11ce7c78cd81
    • Opcode Fuzzy Hash: bcfdcdd194f72bb31272ac1a187a012fb048e00b829f31681fb36db948dcd96f
    • Instruction Fuzzy Hash: E1019DB4408302DFE700AF69D58831EBBF0BB98349F018A1DE8D896250D7B982488F93
    Function 6D034D00 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6D034D5F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6D035BEF), ref: 6D034D9A
    • malloc.MSVCRT ref: 6D034DC8
    • qsort.MSVCRT ref: 6D034E16
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: 8df4163c1fc56df463872578181824e63f056d19ec0bfe6c7dd83c01f7c575b4
    • Instruction ID: f3726d8690514ea81f2a2d049e8c89df5ebb6772147bff2e37417d3e0bb127bf
    • Opcode Fuzzy Hash: 8df4163c1fc56df463872578181824e63f056d19ec0bfe6c7dd83c01f7c575b4
    • Instruction Fuzzy Hash: FF415B75A083129FE710DF29D48072AB7F5FF88314F06892DE8898B714E775E854CB92
    Function 6D035850 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: 026d44420009034860c6988a266122c44096d6ebf819ff37147dc3d91f64ae33
    • Instruction ID: 641631b120be2bb29516fe888ebe434df9a58f96d35e7c31465bc85c418a0ae9
    • Opcode Fuzzy Hash: 026d44420009034860c6988a266122c44096d6ebf819ff37147dc3d91f64ae33
    • Instruction Fuzzy Hash: 2221D774614206CBE700EB39D84976677F0FF49314F468928E5A9CB290EB75E809CB52
    Function 6D0370C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: eecd00800fddf7e9ac07304e6d6ecf8701185e0e61bc8e8e3e00a2b8ebc2568d
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: CA115E71908222CFF7009F6CC88076A7BE4FF85354F568A69E598CB385EB74D840CB52
    Function 6D036250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6D036289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CFA13B9), ref: 6D03629A
    • GetCurrentThreadId.KERNEL32 ref: 6D0362A2
    • GetTickCount.KERNEL32 ref: 6D0362AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CFA13B9), ref: 6D0362B9
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 84505eafaae587b386f30304fc7ceb8dc26961244bfa2a11ecf8b91ad03ed1f8
    • Instruction ID: aa01ed1ba078856b66c40604cd81f5a3ca7421f915e61161451b3c7ef2a40690
    • Opcode Fuzzy Hash: 84505eafaae587b386f30304fc7ceb8dc26961244bfa2a11ecf8b91ad03ed1f8
    • Instruction Fuzzy Hash: B4115EB55053028BDB10EF79E48874BBBF5FB89254F464E39E444C7200EB31D9488B92
    Function 6D035DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6D035E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D0345D9), ref: 6D035E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D0345D9), ref: 6D035E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D0345D9), ref: 6D035E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D0345D9), ref: 6D035E50
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: b659e394d53e915b44db5ca1b153161ded35e8c1219786b967dcea9ff281f972
    • Instruction ID: 75bd92f05904712af5d1138305d126be69855629d33e2425f9a61e37eeca29ef
    • Opcode Fuzzy Hash: b659e394d53e915b44db5ca1b153161ded35e8c1219786b967dcea9ff281f972
    • Instruction Fuzzy Hash: F00175B5914305CFDB00FF7DE58961ABBF9AF46210F42052DD8904B254DBB1A568CFA3
    Function 6D037220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6D037248
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: b0844b673c652b9d01a816dead33ec162ec3093ae28a1c52970c96a58c67cd52
    • Instruction ID: f278134a0dbe02ea98288a5555501b065a245129d2abd9d6ae0bb38349695003
    • Opcode Fuzzy Hash: b0844b673c652b9d01a816dead33ec162ec3093ae28a1c52970c96a58c67cd52
    • Instruction Fuzzy Hash: EDE0AEB080C31ADEE300AF65C08531EBAE4AF88348F43891CE2C847251C77894848B63
    Function 6D0365F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CFA12A5), ref: 6D036709
    Strings
    • Unknown pseudo relocation bit size %d., xrefs: 6D036799
    • Unknown pseudo relocation protocol version %d., xrefs: 6D036864
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: 780b2633585ce91cc049221a9564f8a4a67b7f1483a874d214b6a7030a93a323
    • Instruction ID: 07d7daae529d722dc15c26c51d93214a2ef3219ed4e743c4ff9b9ba38db5cd85
    • Opcode Fuzzy Hash: 780b2633585ce91cc049221a9564f8a4a67b7f1483a874d214b6a7030a93a323
    • Instruction Fuzzy Hash: 0E61EF35A042278FEB00DFA8D4C0769B7B1FF85354B92CA2DD8459B306D3B0A8118BD2
    Function 6D035BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: bsearchfprintffwrite
    • String ID: $
    • API String ID: 1110293247-3993045852
    • Opcode ID: d3b8fe110cd33dd1b2988d4173d61a1a022aab9060be1ce692eb729da8693c73
    • Instruction ID: 6739c13200b01a4936a4b36870c4d26e59515aa09f16b680695747168f630984
    • Opcode Fuzzy Hash: d3b8fe110cd33dd1b2988d4173d61a1a022aab9060be1ce692eb729da8693c73
    • Instruction Fuzzy Hash: 8501C5B981C322DFE700AF69944936EBBE4AF48358F43896DE9C897241E775C440CB53
    Function 6D034E50 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: 3390865ff85d0b5f092ea770ccbfb8640d95086a12b6b7bb5e29a78f16f3254e
    • Instruction ID: a3a6bb79fca4a873a92eee24565d36daffe320853111629be77ac5dd8faf0526
    • Opcode Fuzzy Hash: 3390865ff85d0b5f092ea770ccbfb8640d95086a12b6b7bb5e29a78f16f3254e
    • Instruction Fuzzy Hash: A221E5B5A08212DBEB00EF25D1C471ABBE1BF88204F16C96CE8898F309D735D844CF82
    Function 6D036870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.1639071137.000000006CFA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000011.00000002.1638973207.000000006CFA0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639377076.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639480450.000000006D039000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639589789.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1639711151.000000006D03F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640092148.000000006D0E8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640177623.000000006D0F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640372094.000000006D106000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640735993.000000006D10D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640812057.000000006D10E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1640903790.000000006D111000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 58f87414ffa2aec1ac285bc12c42cb409f9ecd809bde30b01f29ecc7ac57e513
    • Instruction ID: e16fa7c0565141f27c6a33359c7655fe2a698f7feadc23692463e87a80932af4
    • Opcode Fuzzy Hash: 58f87414ffa2aec1ac285bc12c42cb409f9ecd809bde30b01f29ecc7ac57e513
    • Instruction Fuzzy Hash: ACF044B59042168FEB007F6DD489A1ABBB4EE49350B06066CDD4497305EF70E559CBE3