Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
L0pD1MkYx9.dll

Overview

General Information

Sample name:L0pD1MkYx9.dll
renamed because original name is a hash value
Original sample name:f6a464e21c347ce4291cd8c66b7cbf3802d67040d9f465a1087f097622385161.dll
Analysis ID:1544797
MD5:f12f9a7bc0c99d92fa5509954af20b03
SHA1:40ada28d5fb3450d7bc46025e1bbec8b8eb9b122
SHA256:f6a464e21c347ce4291cd8c66b7cbf3802d67040d9f465a1087f097622385161
Tags:2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 876 cmdline: loaddll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1824 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 1956 cmdline: rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 2400 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 836 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 2188 cmdline: rundll32.exe C:\Users\user\Desktop\L0pD1MkYx9.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 6584 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 836 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 5800 cmdline: rundll32.exe C:\Users\user\Desktop\L0pD1MkYx9.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4540 cmdline: rundll32.exe C:\Users\user\Desktop\L0pD1MkYx9.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3808 cmdline: rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 4148 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 832 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 2960 cmdline: rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2092 cmdline: rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3964 cmdline: rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1400 cmdline: rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SpellSpell MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4444 cmdline: rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SpellInit MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7044 cmdline: rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SpellFree MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 664 cmdline: rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5732 cmdline: rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6460 cmdline: rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.8% probability

Bitcoin Miner

barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB81830 4_2_6CB81830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C831830 13_2_6C831830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C831830 17_2_6C831830
Source: L0pD1MkYx9.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: L0pD1MkYx9.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax4_2_6CB52CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax4_2_6CB52CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx4_2_6CB6CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh4_2_6CB79030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh4_2_6CB7A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax13_2_6C802CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax13_2_6C802CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx13_2_6C81CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh13_2_6C829030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh13_2_6C82A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax17_2_6C802CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax17_2_6C802CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx17_2_6C81CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh17_2_6C829030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh17_2_6C82A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB82A90 NtCreateWaitCompletionPacket,4_2_6CB82A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB81A70 NtCreateWaitCompletionPacket,4_2_6CB81A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB81570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,4_2_6CB81570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB811F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,4_2_6CB811F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C832A90 NtCreateWaitCompletionPacket,13_2_6C832A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C831A70 NtCreateWaitCompletionPacket,13_2_6C831A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C831570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,13_2_6C831570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8311F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,13_2_6C8311F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C832A90 NtCreateWaitCompletionPacket,17_2_6C832A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C831A70 NtCreateWaitCompletionPacket,17_2_6C831A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C831570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,17_2_6C831570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8311F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,17_2_6C8311F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB52CA64_2_6CB52CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB52CA04_2_6CB52CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBABC204_2_6CBABC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBD6C204_2_6CBD6C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBD4D204_2_6CBD4D20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB7AD504_2_6CB7AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB5BE904_2_6CB5BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBCCEF04_2_6CBCCEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBA5ED04_2_6CBA5ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBE2E704_2_6CBE2E70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB8CF904_2_6CB8CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBE4F304_2_6CBE4F30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBBA8724_2_6CBBA872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB659F04_2_6CB659F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBD59D04_2_6CBD59D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB7D9C54_2_6CB7D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB60AF04_2_6CB60AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB7CA304_2_6CB7CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB5FBC04_2_6CB5FBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB7BB104_2_6CB7BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB734004_2_6CB73400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB964704_2_6CB96470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB714404_2_6CB71440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBD95A04_2_6CBD95A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBA85704_2_6CBA8570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBD25604_2_6CBD2560
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBAD6E04_2_6CBAD6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB7C6D04_2_6CB7C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB766304_2_6CB76630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBCE7404_2_6CBCE740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBD67404_2_6CBD6740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB680A04_2_6CB680A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB7C0804_2_6CB7C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB590F04_2_6CB590F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB860104_2_6CB86010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB7D0404_2_6CB7D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB532A04_2_6CB532A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBB72804_2_6CBB7280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB7B2D04_2_6CB7B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBE32304_2_6CBE3230
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB8E2404_2_6CB8E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB793F04_2_6CB793F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBB332F4_2_6CBB332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB8A3204_2_6CB8A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C802CA013_2_6C802CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C802CA613_2_6C802CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C85BC2013_2_6C85BC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C886C2013_2_6C886C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C884D2013_2_6C884D20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C82AD5013_2_6C82AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C80BE9013_2_6C80BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C855ED013_2_6C855ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C87CEF013_2_6C87CEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C892E7013_2_6C892E70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C83CF9013_2_6C83CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C894F3013_2_6C894F30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C86A87213_2_6C86A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C82D9C513_2_6C82D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8859D013_2_6C8859D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8159F013_2_6C8159F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C810AF013_2_6C810AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C82CA3013_2_6C82CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C80FBC013_2_6C80FBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C82BB1013_2_6C82BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C82340013_2_6C823400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C82144013_2_6C821440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C84647013_2_6C846470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8895A013_2_6C8895A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C88256013_2_6C882560
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C85857013_2_6C858570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C82C6D013_2_6C82C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C85D6E013_2_6C85D6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C82663013_2_6C826630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C87E74013_2_6C87E740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C88674013_2_6C886740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C82C08013_2_6C82C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8180A013_2_6C8180A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8090F013_2_6C8090F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C83601013_2_6C836010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C82D04013_2_6C82D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C86728013_2_6C867280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8032A013_2_6C8032A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C82B2D013_2_6C82B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C89323013_2_6C893230
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C83E24013_2_6C83E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8293F013_2_6C8293F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C83A32013_2_6C83A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C86332F13_2_6C86332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C802CA017_2_6C802CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C802CA617_2_6C802CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C85BC2017_2_6C85BC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C886C2017_2_6C886C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C884D2017_2_6C884D20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C82AD5017_2_6C82AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C80BE9017_2_6C80BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C855ED017_2_6C855ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C87CEF017_2_6C87CEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C892E7017_2_6C892E70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C83CF9017_2_6C83CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C894F3017_2_6C894F30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C86A87217_2_6C86A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C82D9C517_2_6C82D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8859D017_2_6C8859D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8159F017_2_6C8159F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C810AF017_2_6C810AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C82CA3017_2_6C82CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C80FBC017_2_6C80FBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C82BB1017_2_6C82BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C82340017_2_6C823400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C82144017_2_6C821440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C84647017_2_6C846470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8895A017_2_6C8895A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C88256017_2_6C882560
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C85857017_2_6C858570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C82C6D017_2_6C82C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C85D6E017_2_6C85D6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C82663017_2_6C826630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C87E74017_2_6C87E740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C88674017_2_6C886740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C82C08017_2_6C82C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8180A017_2_6C8180A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8090F017_2_6C8090F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C83601017_2_6C836010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C82D04017_2_6C82D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C86728017_2_6C867280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8032A017_2_6C8032A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C82B2D017_2_6C82B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C89323017_2_6C893230
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C83E24017_2_6C83E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8293F017_2_6C8293F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C83A32017_2_6C83A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C86332F17_2_6C86332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6C866A90 appears 962 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6C835080 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CB87410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CBB6A90 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6C837410 appears 1386 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6C802C30 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6C833B30 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6C865740 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 836
Source: L0pD1MkYx9.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engineClassification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBE5B30 GetLastError,FormatMessageA,fprintf,LocalFree,4_2_6CBE5B30
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\6358ab61-a4b6-4a38-a0a9-9c5979591139Jump to behavior
Source: L0pD1MkYx9.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\L0pD1MkYx9.dll,BarCreate
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\L0pD1MkYx9.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 836
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 836
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\L0pD1MkYx9.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\L0pD1MkYx9.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SpellSpell
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 832
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\L0pD1MkYx9.dll,BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\L0pD1MkYx9.dll,BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\L0pD1MkYx9.dll,BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",_cgo_dummy_exportJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SpellSpellJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SpellInitJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SpellFreeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SignalInitializeCrashReportingJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",GetInstallDetailsPayloadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarRecognizeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: L0pD1MkYx9.dllStatic PE information: Image base 0x6d8c0000 > 0x60000000
Source: L0pD1MkYx9.dllStatic file information: File size 1368576 > 1048576
Source: L0pD1MkYx9.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB513E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,4_2_6CB513E0
Source: L0pD1MkYx9.dllStatic PE information: real checksum: 0x15874b should be: 0x1578fa
Source: L0pD1MkYx9.dllStatic PE information: section name: .eh_fram
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBC509D pushad ; ret 4_2_6CBC509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBC5094 pushad ; ret 4_2_6CBC5095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C3D813 push FFFFFFCCh; iretd 5_2_04C3D816
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0543AF34 push eax; retf 11_2_0543AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0543C3B8 push esi; retf 11_2_0543C3C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04C3DCD3 push ebp; ret 12_2_04C3DCD4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04C3D7A4 push esp; iretd 12_2_04C3D7A5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04C3D82C pushad ; iretd 12_2_04C3D82D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04C3DC76 pushad ; ret 12_2_04C3DC7B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04C80397 push ebp; retf 12_2_04C8039B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C875094 pushad ; ret 13_2_6C875095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C87509D pushad ; ret 13_2_6C87509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0483CD50 push ecx; ret 15_2_0483CD78
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0483CFB8 push esi; iretd 15_2_0483D226
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C875094 pushad ; ret 17_2_6C875095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C87509D pushad ; ret 17_2_6C87509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_0543CE06 push es; iretd 18_2_0543CE13
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_0503AF38 push eax; retf 22_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_0503D2DD push esp; ret 22_2_0503D2E3
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBBC0C0 rdtscp 4_2_6CBBC0C0
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 0.7 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBBC0C0 rdtscp 4_2_6CBBC0C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB513E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,4_2_6CB513E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBE4E50 free,free,GetProcessHeap,HeapFree,4_2_6CBE4E50
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBE6300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,4_2_6CBE6300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8962FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,13_2_6C8962FC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C896300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,13_2_6C896300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8962FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,17_2_6C8962FC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C896300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,17_2_6C896300
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBE6250 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,4_2_6CBE6250
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CB81C90 RtlGetVersion,RtlGetCurrentPeb,4_2_6CB81C90

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		11
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory3
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS3
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544797 Sample: L0pD1MkYx9.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->29 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
L0pD1MkYx9.dll5%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1544797
Start date and time:2024-10-29 18:53:11 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 7m 7s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:29
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:L0pD1MkYx9.dll
renamed because original name is a hash value
Original Sample Name:f6a464e21c347ce4291cd8c66b7cbf3802d67040d9f465a1087f097622385161.dll
Detection:MAL
Classification:mal48.mine.winDLL@35/0@0/0
EGA Information:
  • Successful, ratio: 20%
HCA Information:
  • Successful, ratio: 56%
  • Number of executed functions: 5
  • Number of non-executed functions: 113
Cookbook Comments:
  • Found application associated with file extension: .dll

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target loaddll32.exe, PID 876 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 1400 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 1956 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 2092 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 2960 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 4444 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 4540 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 5732 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 5800 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6460 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 664 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7044 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • VT rate limit hit for: L0pD1MkYx9.dll

Simulations

Behavior and APIs

TimeTypeDescription
13:54:33API Interceptor1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):6.272745125582657
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:L0pD1MkYx9.dll
File size:1'368'576 bytes
MD5:f12f9a7bc0c99d92fa5509954af20b03
SHA1:40ada28d5fb3450d7bc46025e1bbec8b8eb9b122
SHA256:f6a464e21c347ce4291cd8c66b7cbf3802d67040d9f465a1087f097622385161
SHA512:8213a06788beb099f504465112046a4d4c08101af45950b3cf1ecf8a1d4be1340234b081e1459d692dbd4d696dc71ecd47b1bc2a01b5a0892a6b78b38b9b9cf1
SSDEEP:24576:1m7EVo6UnfLz0XGf3gvdRwtCFVDH5KqcbjuKkg02nMnh:1DCwKC5Mk
TLSH:C0552900FD8784F1E4032632856B62AF2325AD1A1F31DBC7FB44BA79FA776D50936285
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....d.......H.................m................................K.....@... .........................-..

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x6d8c1380
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x6d8c0000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:0x6d9563e0, 0x6d956390
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:47d9e8363ec498a9360ee0a7da269805

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [6DA2C730h], 00000000h
mov edx, dword ptr [esp+24h]
cmp edx, 01h
je 00007F3A607DF3DCh
mov ecx, dword ptr [esp+28h]
mov eax, dword ptr [esp+20h]
call 00007F3A607DF242h
add esp, 1Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
mov dword ptr [esp+0Ch], edx
call 00007F3A6087425Ch
mov edx, dword ptr [esp+0Ch]
jmp 00007F3A607DF399h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 6DA08000h
mov dword ptr [esp+04h], eax
call 00007F3A608750AEh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 6D95F000h
call dword ptr [6DA2E21Ch]
sub esp, 04h
test eax, eax
je 00007F3A607DF435h
mov ebx, eax
mov dword ptr [esp], 6D95F000h
call dword ptr [6DA2E264h]
mov edi, dword ptr [6DA2E224h]
sub esp, 04h
mov dword ptr [6DA2C764h], eax
mov dword ptr [esp+04h], 6D95F013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 6D95F029h
mov dword ptr [esp], ebx
call edi
mov dword ptr [6D958000h], eax
sub esp, 08h
test esi, esi
je 00007F3A607DF3D3h
mov dword ptr [esp+00h], 00000000h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x16d0000x12d.edata
IMAGE_DIRECTORY_ENTRY_IMPORT0x16e0000xb78.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1710000x868c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x144fb00x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x16e1cc0x190.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x962a80x96400869512a42e961e57616f032148dc6a6dFalse0.4697671849001664data6.281902209470512IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x980000x67c80x68001f94bebbdcbcec536a165600bcbc3338False0.4201096754807692data4.442247840730038IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0x9f0000xa63800xa6400037624612421668b839f77479411ac62False0.43180069313909775data5.596739908256427IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram0x1460000x12740x140085e22b3e84813337ea1a67b904c6bbcdFalse0.3369140625data4.565839626312234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss0x1480000x2477c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata0x16d0000x12d0x20067859e1c9d81f1d2bdf6b531a2016f52False0.44921875data3.400613123216997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata0x16e0000xb780xc00cb8eb4a241279d6fed66c3ea8ecac795False0.3961588541666667data5.12056831676781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT0x16f0000x2c0x200db151290603a2662b590a75b7e0b0988False0.0546875data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0x1700000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x1710000x868c0x88006b7a484d2d9d38c50fa216c9dfccdb60False0.6669347426470589data6.630279014419963IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllAddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetLastError, GetModuleHandleA, GetNativeSystemInfo, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadLocale, GetTickCount, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, PostQueuedCompletionStatus, QueryPerformanceCounter, RaiseFailFastException, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TerminateProcess, TlsAlloc, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WriteConsoleW, WriteFile, lstrlenA
msvcrt.dll_amsg_exit, _beginthread, _errno, _initterm, _iob, _lock, _unlock, _wcsnicmp, abort, bsearch, calloc, fprintf, free, fwrite, malloc, mbstowcs, memcpy, memset, qsort, realloc, strcmp, strlen, strncmp, strtol, vfprintf, wcstombs

Exports

NameOrdinalAddress
BarCreate10x6d9545d0
BarDestroy20x6d954850
BarFreeRec30x6d954800
BarRecognize40x6d9547b0
GetInstallDetailsPayload50x6d954710
SignalInitializeCrashReporting60x6d954760
SpellFree70x6d954620
SpellInit80x6d954670
SpellSpell90x6d9546c0
_cgo_dummy_export100x6da2c768

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:1
Start time:13:54:23
Start date:29/10/2024
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll"
Imagebase:0x860000
File size:126'464 bytes
MD5 hash:51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:13:54:23
Start date:29/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff68cce0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:13:54:24
Start date:29/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",#1
Imagebase:0xc30000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:13:54:24
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\L0pD1MkYx9.dll,BarCreate
Imagebase:0x1000000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:5
Start time:13:54:24
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",#1
Imagebase:0x1000000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:13:54:24
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 836
Imagebase:0x430000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:10
Start time:13:54:24
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 836
Imagebase:0x430000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:11
Start time:13:54:27
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\L0pD1MkYx9.dll,BarDestroy
Imagebase:0x1000000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:12
Start time:13:54:30
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\L0pD1MkYx9.dll,BarFreeRec
Imagebase:0x1000000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:13
Start time:13:54:33
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarCreate
Imagebase:0x1000000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:14
Start time:13:54:33
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarDestroy
Imagebase:0x1000000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:15
Start time:13:54:33
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarFreeRec
Imagebase:0x1000000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:17
Start time:13:54:33
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",_cgo_dummy_export
Imagebase:0x1000000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:18
Start time:13:54:33
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SpellSpell
Imagebase:0x1000000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:19
Start time:13:54:33
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 832
Imagebase:0x430000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:20
Start time:13:54:33
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SpellInit
Imagebase:0x1000000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:21
Start time:13:54:33
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SpellFree
Imagebase:0x1000000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:22
Start time:13:54:33
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",SignalInitializeCrashReporting
Imagebase:0x1000000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:23
Start time:13:54:33
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",GetInstallDetailsPayload
Imagebase:0x1000000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:24
Start time:13:54:33
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\L0pD1MkYx9.dll",BarRecognize
Imagebase:0x1000000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:3
    Total number of Limit Nodes:0
    execution_graph 52713 6cbbcea0 52714 6cbbceb9 52713->52714 52715 6cbbcec8 WriteFile 52713->52715 52714->52715

    Executed Functions

    Function 6CBBCEA0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 6cbbcea0-6cbbceb7 1 6cbbceb9-6cbbcec6 0->1 2 6cbbcec8-6cbbcee0 WriteFile 0->2 1->2
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: 3c677ea6e7eed58044407e0823bd29584f14d86d49e9a36a2594a8de32feb858
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: CDE0E571505640CFCB15DF18C2C1316BBE1EB48A00F0485A8DE099FB4AD774ED10CB92

    Non-executed Functions

    Function 6CBE4F30 Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 564memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 297 6cbe4f30-6cbe4f42 298 6cbe4f48-6cbe4f54 297->298 299 6cbe5350-6cbe536e SetLastError 297->299 300 6cbe4f5a-6cbe4f71 298->300 301 6cbe5330-6cbe533f SetLastError 298->301 300->299 303 6cbe4f77-6cbe4f88 300->303 302 6cbe5342-6cbe534e 301->302 303->301 304 6cbe4f8e-6cbe4f98 303->304 304->301 305 6cbe4f9e-6cbe4fa7 304->305 305->301 306 6cbe4fad-6cbe4fbb 305->306 307 6cbe5710-6cbe5712 306->307 308 6cbe4fc1-6cbe4fc3 306->308 309 6cbe4fc5-6cbe4fe3 308->309 309->309 310 6cbe4fe5-6cbe500f GetNativeSystemInfo 309->310 310->301 311 6cbe5015-6cbe5047 310->311 313 6cbe504d-6cbe5073 GetProcessHeap HeapAlloc 311->313 314 6cbe5370-6cbe53a3 311->314 315 6cbe5079-6cbe50e4 313->315 316 6cbe5731-6cbe576a SetLastError 313->316 314->313 320 6cbe53a9-6cbe53bb SetLastError 314->320 318 6cbe50ea-6cbe515c memcpy 315->318 319 6cbe53c0-6cbe53cd SetLastError 315->319 316->302 326 6cbe51ea-6cbe51f5 318->326 327 6cbe5162-6cbe5164 318->327 321 6cbe53d0-6cbe53e6 call 6cbe4e50 319->321 320->302 328 6cbe51fb-6cbe520a 326->328 329 6cbe5660-6cbe566a 326->329 330 6cbe5166-6cbe516b 327->330 335 6cbe5472-6cbe549a 328->335 336 6cbe5210-6cbe521e 328->336 333 6cbe566c-6cbe5680 329->333 334 6cbe56eb-6cbe56ee 329->334 331 6cbe53f0-6cbe53fc 330->331 332 6cbe5171-6cbe517a 330->332 331->319 341 6cbe53fe-6cbe5426 331->341 339 6cbe51ce-6cbe51dc 332->339 340 6cbe517c-6cbe51a8 332->340 342 6cbe56e6 333->342 343 6cbe5682-6cbe568e 333->343 337 6cbe549c-6cbe549f 335->337 338 6cbe54b0-6cbe54c8 335->338 344 6cbe5220-6cbe523a IsBadReadPtr 336->344 345 6cbe56ff-6cbe5704 337->345 346 6cbe54a5-6cbe54a8 337->346 347 6cbe54ce-6cbe54e6 338->347 348 6cbe57a6-6cbe57aa 338->348 339->330 349 6cbe51de-6cbe51e6 339->349 340->321 362 6cbe51ae-6cbe51c9 memset 340->362 341->321 365 6cbe5428-6cbe5455 memcpy 341->365 342->334 350 6cbe5690-6cbe569b 343->350 351 6cbe5470 344->351 352 6cbe5240-6cbe5249 344->352 345->338 346->338 353 6cbe54aa-6cbe54af 346->353 355 6cbe5541-6cbe554d 347->355 361 6cbe57b3-6cbe57c3 SetLastError 348->361 349->326 357 6cbe569d-6cbe569f 350->357 358 6cbe56d2-6cbe56dc 350->358 351->335 352->351 359 6cbe524f-6cbe5264 352->359 353->338 363 6cbe554f-6cbe5555 355->363 364 6cbe555a-6cbe555e 355->364 366 6cbe56a0-6cbe56ad 357->366 358->350 360 6cbe56de-6cbe56e2 358->360 378 6cbe576f-6cbe577f SetLastError 359->378 379 6cbe526a-6cbe5285 realloc 359->379 360->342 361->321 362->339 367 6cbe5557 363->367 368 6cbe55a0-6cbe55a6 363->368 372 6cbe556a-6cbe557b 364->372 373 6cbe5560-6cbe5568 364->373 369 6cbe56af-6cbe56c0 366->369 370 6cbe56c3-6cbe56d0 366->370 367->364 368->364 377 6cbe55a8-6cbe55ab 368->377 369->370 370->358 370->366 375 6cbe557d-6cbe5583 372->375 376 6cbe5585 372->376 373->372 374 6cbe54f0-6cbe54ff call 6cbe49e0 373->374 391 6cbe5505-6cbe5514 374->391 392 6cbe5720-6cbe5724 374->392 375->376 382 6cbe558a-6cbe5596 375->382 376->382 377->364 378->321 380 6cbe528b-6cbe52b5 379->380 381 6cbe5784-6cbe57a1 SetLastError 379->381 384 6cbe52e8-6cbe52f4 380->384 385 6cbe52b7 380->385 381->321 386 6cbe5518-6cbe5530 382->386 389 6cbe52f6-6cbe5307 384->389 390 6cbe52c0-6cbe52d6 384->390 388 6cbe5460-6cbe5465 385->388 393 6cbe5532-6cbe553d 386->393 394 6cbe55b0-6cbe55c9 call 6cbe49e0 386->394 388->344 400 6cbe52d8-6cbe52e2 389->400 401 6cbe5309-6cbe5326 SetLastError 389->401 390->400 390->401 391->386 392->321 393->355 394->321 402 6cbe55cf-6cbe55d9 394->402 400->384 400->388 401->321 403 6cbe55db-6cbe55e4 402->403 404 6cbe5613-6cbe5618 402->404 403->404 407 6cbe55e6-6cbe55ea 403->407 405 6cbe561e-6cbe5629 404->405 406 6cbe56f3-6cbe56fa 404->406 409 6cbe562f-6cbe5649 405->409 410 6cbe5729-6cbe572c 405->410 406->302 407->404 411 6cbe55ec 407->411 409->361 414 6cbe564f-6cbe5656 409->414 410->302 412 6cbe55f0-6cbe560f 411->412 416 6cbe5611 412->416 414->302 416->404
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: ErrorHeapLast$AllocInfoNativeProcessReadSystemmemcpymemsetrealloc
    • String ID: ?$@
    • API String ID: 2257136212-1463999369
    • Opcode ID: 2cdeadc3f155523a2107a725b6a0ba8962530bff3c364c1a16d391870087979e
    • Instruction ID: fd40438c347e07a5ceb08b204cb6208d54b09c9686add3de14d403411ec7a71a
    • Opcode Fuzzy Hash: 2cdeadc3f155523a2107a725b6a0ba8962530bff3c364c1a16d391870087979e
    • Instruction Fuzzy Hash: 5E4215B46097458FD710DF69C58461ABBF0FF88B88F548A2DE89987700E774E858CF86
    Function 6CB659F0 Relevance: 18.5, Strings: 14, Instructions: 1019COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1107 6cb659f0-6cb65a05 1108 6cb66c61-6cb66c66 call 6cbbae50 1107->1108 1109 6cb65a0b-6cb65a31 call 6cbc0980 1107->1109 1108->1107 1114 6cb65a33-6cb65a38 1109->1114 1115 6cb65a3a-6cb65a3d 1109->1115 1116 6cb65a40-6cb65aa7 call 6cbc09b0 call 6cbbcff0 1114->1116 1115->1116 1121 6cb65ab3-6cb65b83 call 6cb89e30 call 6cbbad60 * 2 call 6cb89a20 1116->1121 1122 6cb65aa9-6cb65ab1 call 6cbbc260 1116->1122 1133 6cb65b85-6cb65b89 1121->1133 1134 6cb65b8b-6cb65b93 call 6cba9ba0 1121->1134 1122->1121 1135 6cb65b97-6cb65b99 1133->1135 1134->1135 1138 6cb65bcf-6cb65be5 1135->1138 1139 6cb65b9b-6cb65bca call 6cbaa140 call 6cba9cd0 1135->1139 1141 6cb65be7-6cb65bef call 6cbbc260 1138->1141 1142 6cb65bf1-6cb65c00 1138->1142 1139->1138 1141->1142 1145 6cb65c06-6cb65f1c call 6cbc09b0 call 6cbbad60 call 6cbbcff0 call 6cbbd050 call 6cbc09d0 * 2 call 6cb7fc30 call 6cbaf810 * 2 call 6cbc07f0 * 3 1142->1145 1146 6cb66c4a-6cb66c60 call 6cbb6a90 1142->1146 1175 6cb65f24-6cb65fc2 call 6cb5a4e0 call 6cb8ed60 call 6cb5a700 call 6cb71f00 call 6cb685c0 call 6cb7ce30 call 6cb729f0 1145->1175 1176 6cb65f1e 1145->1176 1146->1108 1191 6cb65fc4-6cb65fc6 1175->1191 1192 6cb65fd0-6cb65fd2 1175->1192 1176->1175 1193 6cb66c34-6cb66c45 call 6cbb6a90 1191->1193 1194 6cb65fcc-6cb65fce 1191->1194 1195 6cb66c1e-6cb66c2f call 6cbb6a90 1192->1195 1196 6cb65fd8-6cb66095 call 6cbbc476 call 6cbbc94a call 6cbbad60 call 6cb7d3f0 call 6cb75470 call 6cbbad60 * 2 1192->1196 1193->1146 1194->1192 1194->1196 1195->1193 1213 6cb66097-6cb660af call 6cb72a70 1196->1213 1214 6cb660b4-6cb660bc 1196->1214 1213->1214 1216 6cb660c2-6cb66130 call 6cbbc47a call 6cb86bb0 call 6cbafa50 1214->1216 1217 6cb66abf-6cb66b05 call 6cb5a4e0 1214->1217 1233 6cb66140-6cb6615e 1216->1233 1222 6cb66b07-6cb66b12 call 6cbbc260 1217->1222 1223 6cb66b14-6cb66b30 call 6cb5a700 1217->1223 1222->1223 1232 6cb66b55-6cb66b5e 1223->1232 1234 6cb66b32-6cb66b54 call 6cb543c0 1232->1234 1235 6cb66b60-6cb66b8b call 6cb6ed90 1232->1235 1237 6cb66160-6cb66163 1233->1237 1238 6cb66169-6cb661ec 1233->1238 1234->1232 1248 6cb66b8d-6cb66b96 call 6cbbad60 1235->1248 1249 6cb66b9b-6cb66bf2 call 6cb98b70 * 2 1235->1249 1237->1238 1241 6cb66216-6cb6621c 1237->1241 1242 6cb66c14-6cb66c19 call 6cbbc2e0 1238->1242 1243 6cb661f2-6cb661fc 1238->1243 1250 6cb66222-6cb663bc call 6cbb7ed0 call 6cb86bb0 call 6cb87410 call 6cb87100 call 6cb87410 * 3 call 6cb87230 call 6cb87410 call 6cb86c10 call 6cbbc47a 1241->1250 1251 6cb66c0a-6cb66c0f call 6cbbc2e0 1241->1251 1242->1195 1246 6cb661fe-6cb6620a 1243->1246 1247 6cb6620f-6cb66211 1243->1247 1253 6cb66132-6cb6613e 1246->1253 1247->1253 1248->1249 1264 6cb66bf4-6cb66bfa 1249->1264 1265 6cb66c03-6cb66c09 1249->1265 1284 6cb6645e-6cb66461 1250->1284 1251->1242 1253->1233 1264->1265 1267 6cb66bfc 1264->1267 1267->1265 1285 6cb664e7-6cb66690 call 6cb86bb0 call 6cb87410 call 6cb86c10 call 6cbc0830 * 4 call 6cbbc476 1284->1285 1286 6cb66467-6cb66484 1284->1286 1321 6cb66717-6cb6671a 1285->1321 1288 6cb663c1-6cb66457 call 6cb680a0 call 6cbb7ed0 call 6cb86bb0 call 6cb87410 call 6cb86c10 1286->1288 1289 6cb6648a-6cb664e2 call 6cb86bb0 call 6cb87410 call 6cb86c10 1286->1289 1288->1284 1289->1288 1322 6cb667c0-6cb66a5a call 6cbc09b0 * 2 call 6cb86bb0 call 6cb87410 call 6cb87100 call 6cb87410 call 6cb87100 call 6cb87410 call 6cb87100 call 6cb87410 call 6cb87100 call 6cb87410 call 6cb87100 call 6cb87410 call 6cb87100 call 6cb87410 call 6cb87230 call 6cb87410 call 6cb86c10 1321->1322 1323 6cb66720-6cb66744 1321->1323 1389 6cb66a7c-6cb66aad call 6cb86bb0 call 6cb86db0 call 6cb86c10 1322->1389 1390 6cb66a5c-6cb66a77 call 6cb86bb0 call 6cb87410 call 6cb86c10 1322->1390 1324 6cb66746-6cb66749 1323->1324 1325 6cb6674b-6cb66779 call 6cb86bb0 call 6cb87410 call 6cb86c10 1323->1325 1324->1325 1327 6cb6677e-6cb66780 1324->1327 1333 6cb66695-6cb66716 call 6cb680a0 call 6cbb7ed0 call 6cb86bb0 call 6cb87410 call 6cb86c10 1325->1333 1332 6cb66786-6cb667bb call 6cb86bb0 call 6cb87410 call 6cb86c10 1327->1332 1327->1333 1332->1333 1333->1321 1389->1217 1402 6cb66aaf-6cb66aba call 6cb5a700 1389->1402 1390->1389 1402->1217
    Strings
    • gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6CB66C4A
    • MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=, xrefs: 6CB6699C
    • gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= , xrefs: 6CB65ABA
    • failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 6CB66C34
    • @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12, xrefs: 6CB662C7
    • MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 6CB66A06
    • ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid, xrefs: 6CB668DC
    • gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma, xrefs: 6CB6629A
    • +:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08, xrefs: 6CB664A4, 6CB6678B
    • ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE, xrefs: 6CB664EC
    • ., xrefs: 6CB661FE
    • , xrefs: 6CB6606A
    • non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo, xrefs: 6CB66C1E
    • 5, xrefs: 6CB66C27
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=$ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid$+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08$.$5$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= $non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo
    • API String ID: 0-2575422049
    • Opcode ID: 76046c598efe166911ee9836e2c9a0c830bf194002b96f201a5129d1d2720da7
    • Instruction ID: 250b8cfe1fb99cada7c810dd19d47e3de460c5707e3af56c8aea4bb14437b161
    • Opcode Fuzzy Hash: 76046c598efe166911ee9836e2c9a0c830bf194002b96f201a5129d1d2720da7
    • Instruction Fuzzy Hash: 88B2F4746097848FC764DF68C190B9EBBF1FB8A308F05892ED88997751DB70A848CF56
    Function 6CB793F0 Relevance: 16.9, Strings: 13, Instructions: 643COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1404 6cb793f0-6cb79402 1405 6cb79f94-6cb79f99 call 6cbbae50 1404->1405 1406 6cb79408-6cb79450 1404->1406 1405->1404 1407 6cb79476-6cb7947d 1406->1407 1409 6cb79483-6cb794ed 1407->1409 1410 6cb7957b-6cb79581 1407->1410 1412 6cb794f3-6cb794f5 1409->1412 1413 6cb79f8c-6cb79f93 call 6cbbc320 1409->1413 1414 6cb79587-6cb795b3 call 6cb7c5d0 1410->1414 1415 6cb797f9-6cb79800 call 6cbbc2f0 1410->1415 1417 6cb79f85-6cb79f87 call 6cbbc340 1412->1417 1418 6cb794fb-6cb79545 1412->1418 1413->1405 1429 6cb795b5-6cb79620 call 6cb79360 1414->1429 1430 6cb79621-6cb79631 1414->1430 1421 6cb79805-6cb7980c 1415->1421 1417->1413 1422 6cb79547-6cb79550 1418->1422 1423 6cb79552-6cb79556 1418->1423 1427 6cb79810-6cb79812 1421->1427 1428 6cb79558-6cb79576 1422->1428 1423->1428 1433 6cb799fd 1427->1433 1434 6cb79818 1427->1434 1428->1427 1431 6cb79637-6cb79648 1430->1431 1432 6cb797f4 call 6cbbc2e0 1430->1432 1437 6cb797e1-6cb797e9 1431->1437 1438 6cb7964e-6cb79653 1431->1438 1432->1415 1436 6cb79a01-6cb79a0a 1433->1436 1439 6cb79f7e-6cb79f80 call 6cbbc2e0 1434->1439 1440 6cb7981e-6cb7984c 1434->1440 1442 6cb79d72-6cb79de0 call 6cb79360 1436->1442 1443 6cb79a10-6cb79a16 1436->1443 1437->1432 1444 6cb797c6-6cb797d6 1438->1444 1445 6cb79659-6cb79666 1438->1445 1439->1417 1447 6cb79856-6cb798af 1440->1447 1448 6cb7984e-6cb79854 1440->1448 1463 6cb79ee5-6cb79eeb 1442->1463 1451 6cb79d53-6cb79d71 1443->1451 1452 6cb79a1c-6cb79a26 1443->1452 1444->1437 1453 6cb7966c-6cb797b3 call 6cb86bb0 call 6cb87410 call 6cb87230 call 6cb87410 call 6cb87230 call 6cb87410 call 6cb87100 call 6cb87410 call 6cb87100 call 6cb87410 call 6cb87100 call 6cb87410 call 6cb86c10 call 6cb86bb0 call 6cb87410 call 6cb87100 call 6cb86db0 call 6cb86c10 call 6cbb6a90 1445->1453 1454 6cb797b8-6cb797c1 1445->1454 1464 6cb798b1-6cb798bd 1447->1464 1465 6cb798bf-6cb798c8 1447->1465 1448->1421 1456 6cb79a41-6cb79a55 1452->1456 1457 6cb79a28-6cb79a3f 1452->1457 1453->1454 1461 6cb79a5c 1456->1461 1457->1461 1466 6cb79a71-6cb79a91 1461->1466 1467 6cb79a5e-6cb79a6f 1461->1467 1468 6cb79eed-6cb79f02 1463->1468 1469 6cb79f68-6cb79f79 call 6cbb6a90 1463->1469 1471 6cb798ce-6cb798e0 1464->1471 1465->1471 1473 6cb79a98 1466->1473 1467->1473 1474 6cb79f04-6cb79f09 1468->1474 1475 6cb79f0b-6cb79f1d 1468->1475 1469->1439 1477 6cb798e6-6cb798eb 1471->1477 1478 6cb799c8-6cb799ca 1471->1478 1482 6cb79aa1-6cb79aa4 1473->1482 1483 6cb79a9a-6cb79a9f 1473->1483 1481 6cb79f1f 1474->1481 1475->1481 1479 6cb798f4-6cb79908 1477->1479 1480 6cb798ed-6cb798f2 1477->1480 1485 6cb799e2 1478->1485 1486 6cb799cc-6cb799e0 1478->1486 1487 6cb7990f-6cb79911 1479->1487 1480->1487 1488 6cb79f21-6cb79f26 1481->1488 1489 6cb79f28-6cb79f40 1481->1489 1490 6cb79aaa-6cb79d4e call 6cb86bb0 call 6cb87410 call 6cb87230 call 6cb87410 call 6cb87230 call 6cb87410 call 6cb87100 call 6cb87410 call 6cb87100 call 6cb87410 call 6cb87100 call 6cb86db0 call 6cb86c10 call 6cb86bb0 call 6cb87410 call 6cb87230 call 6cb87410 call 6cb87100 call 6cb87410 call 6cb87230 call 6cb86db0 call 6cb86c10 call 6cb86bb0 call 6cb87410 call 6cb872a0 call 6cb87410 call 6cb87230 call 6cb86db0 call 6cb86c10 call 6cb86bb0 call 6cb87410 call 6cb87100 call 6cb87410 call 6cb87100 call 6cb86db0 call 6cb86c10 1482->1490 1483->1490 1492 6cb799e6-6cb799fb 1485->1492 1486->1492 1493 6cb79917-6cb79919 1487->1493 1494 6cb79452-6cb7946f 1487->1494 1495 6cb79f42-6cb79f4e 1488->1495 1489->1495 1490->1463 1492->1436 1498 6cb79922-6cb7993d 1493->1498 1499 6cb7991b-6cb79920 1493->1499 1494->1407 1500 6cb79f50-6cb79f55 1495->1500 1501 6cb79f5a-6cb79f5d 1495->1501 1505 6cb799a7-6cb799c3 1498->1505 1506 6cb7993f-6cb79944 1498->1506 1504 6cb7994b 1499->1504 1501->1469 1510 6cb7995e-6cb7996d 1504->1510 1511 6cb7994d-6cb7995c 1504->1511 1505->1421 1506->1504 1515 6cb79970-6cb799a2 1510->1515 1511->1515 1515->1421
    Strings
    • , levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:, xrefs: 6CB79D15
    • , i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc, xrefs: 6CB79C88
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CB797A2, 6CB79F68
    • , j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu, xrefs: 6CB79C04
    • runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard , xrefs: 6CB79C5B
    • ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc, xrefs: 6CB796CD
    • ][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C, xrefs: 6CB796A4, 6CB79AED
    • ] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt, xrefs: 6CB79B1A
    • runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6CB79CE8
    • , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST, xrefs: 6CB796F7, 6CB79721, 6CB79B44, 6CB79B6E
    • runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer, xrefs: 6CB7976B
    • , npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar, xrefs: 6CB79BD7
    • runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6CB7967A, 6CB79AB3
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu$, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:$, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar$] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt$] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc$][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-566501290
    • Opcode ID: 09964d37e9f17d5e6f873da87859d8ee5e5c0a9e4ddcd654bd6e1795c3164a26
    • Instruction ID: 06f33dd7b66d52af3a7777552ceb13021a8942a4122debf52149563fefe4c6df
    • Opcode Fuzzy Hash: 09964d37e9f17d5e6f873da87859d8ee5e5c0a9e4ddcd654bd6e1795c3164a26
    • Instruction Fuzzy Hash: 67525B75A197848FD720DF68C48079EB7F1FF89708F11892DE9A897740DB74A848CB92
    Function 6CB81570 Relevance: 16.4, Strings: 13, Instructions: 150COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1764 6cb81570-6cb8157e 1765 6cb8181e-6cb81823 call 6cbbae50 1764->1765 1766 6cb81584-6cb815b6 call 6cb832a0 1764->1766 1765->1764 1771 6cb815bc-6cb815ea call 6cb81470 1766->1771 1772 6cb81807-6cb8181d call 6cbb6a90 1766->1772 1777 6cb815fc-6cb81631 call 6cb832a0 1771->1777 1778 6cb815ec-6cb815f9 call 6cbbc270 1771->1778 1772->1765 1783 6cb817f1-6cb81802 call 6cbb6a90 1777->1783 1784 6cb81637-6cb81669 call 6cb81470 1777->1784 1778->1777 1783->1772 1788 6cb8167b-6cb81683 1784->1788 1789 6cb8166b-6cb81678 call 6cbbc270 1784->1789 1791 6cb81689-6cb816bb call 6cb81470 1788->1791 1792 6cb8172d-6cb8175f call 6cb81470 1788->1792 1789->1788 1800 6cb816cd-6cb816d5 1791->1800 1801 6cb816bd-6cb816ca call 6cbbc270 1791->1801 1798 6cb81771-6cb817a9 call 6cb81470 1792->1798 1799 6cb81761-6cb8176e call 6cbbc270 1792->1799 1813 6cb817bb-6cb817c4 1798->1813 1814 6cb817ab-6cb817b8 call 6cbbc270 1798->1814 1799->1798 1805 6cb817db-6cb817ec call 6cbb6a90 1800->1805 1806 6cb816db-6cb8170d call 6cb81470 1800->1806 1801->1800 1805->1783 1815 6cb8171f-6cb81727 1806->1815 1816 6cb8170f-6cb8171c call 6cbbc270 1806->1816 1814->1813 1815->1792 1820 6cb817c5-6cb817d6 call 6cbb6a90 1815->1820 1816->1815 1820->1805
    Strings
    • ntdll.dll, xrefs: 6CB81608
    • bcryptprimitives.dll, xrefs: 6CB8158D
    • bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible , xrefs: 6CB81807
    • NtAssociateWaitCompletionPacket, xrefs: 6CB81690
    • NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no , xrefs: 6CB817C5
    • NtCancelWaitCompletionPacket, xrefs: 6CB816E2
    • P, xrefs: 6CB817E4
    • , xrefs: 6CB8169A
    • RtlGetVersion, xrefs: 6CB8177E
    • ProcessPrng, xrefs: 6CB815BF
    • RtlGetCurrentPeb, xrefs: 6CB81734
    • , xrefs: 6CB816A2
    • NtCreateWaitCompletionPacket, xrefs: 6CB8163E
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $NtAssociateWaitCompletionPacket$NtCancelWaitCompletionPacket$NtCreateWaitCompletionPacket$NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no $P$ProcessPrng$RtlGetCurrentPeb$RtlGetVersion$bcryptprimitives.dll$bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible $ntdll.dll
    • API String ID: 0-2332038095
    • Opcode ID: e1278d20bc7441127d386568e6f25000c33520cfb7a3f0abde08bd05f849d1b0
    • Instruction ID: a726d498d9253620579dcdc9a5f08d1a408f7ce0b309fea1f6fb4905d95918b9
    • Opcode Fuzzy Hash: e1278d20bc7441127d386568e6f25000c33520cfb7a3f0abde08bd05f849d1b0
    • Instruction Fuzzy Hash: 4B71B6B420A742DFDB44DF68C190A5ABBF0FB8A748F14882EE49987750DB74D848CF52
    Function 6CB73400 Relevance: 14.6, Strings: 11, Instructions: 876COMMON
    Download Yara Rule
    Strings
    • sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket, xrefs: 6CB73E09
    • previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 6CB73DAB
    • nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo, xrefs: 6CB73D81
    • mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 6CB73D16
    • mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea, xrefs: 6CB7418A
    • mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CB73CE2, 6CB74156
    • sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto, xrefs: 6CB73C4F
    • mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 6CB741A9
    • , xrefs: 6CB73E12
    • sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket, xrefs: 6CB73CB8, 6CB7412C
    • swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6CB73C65
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo$ previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$ sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-893999930
    • Opcode ID: 8dc3e8feecb5a27e991484ab30dfa427e5c69150482d719c7b35375776cd7fc6
    • Instruction ID: 3196680fd7e24a493fccaaf85f60705c7c8d5e8d3cf5a7ee11b077387ec1696c
    • Opcode Fuzzy Hash: 8dc3e8feecb5a27e991484ab30dfa427e5c69150482d719c7b35375776cd7fc6
    • Instruction Fuzzy Hash: F78226B460D7948FC764DF28C080A5EBBF1BF89708F44896DE8D88B781D7719949CB62
    Function 6CB82A90 Relevance: 14.0, Strings: 11, Instructions: 253COMMON
    Download Yara Rule
    Strings
    • runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte, xrefs: 6CB82E47, 6CB82EA2
    • VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec, xrefs: 6CB82DC9
    • runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr, xrefs: 6CB82DEC
    • %, xrefs: 6CB82F3A
    • runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b, xrefs: 6CB82F31
    • ,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12, xrefs: 6CB82D29
    • bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi, xrefs: 6CB82D6E
    • runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 6CB82D95
    • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi, xrefs: 6CB82EFD
    • NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor, xrefs: 6CB82E20
    • CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet, xrefs: 6CB82E7B, 6CB82ED6
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: %$,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet$NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte$runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
    • API String ID: 0-2809656213
    • Opcode ID: 5761dc2831e977b075286ab95d5997ae158792c1eab4f39c9147bea9d5f43751
    • Instruction ID: 589cf66c1d00944af5e9e671b51cca3c4cd593685d9a9607d3895acf4d3971ee
    • Opcode Fuzzy Hash: 5761dc2831e977b075286ab95d5997ae158792c1eab4f39c9147bea9d5f43751
    • Instruction Fuzzy Hash: 06C1BFB421A7818FD700EF68C19479EBBF4BF89708F11896CE49897B40DB759948CF62
    Function 6CB513E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: ca9a64fa7ef3f7e1f0473eb26cd18cb01f7521e43f7e3149dfdc5da56f964ee2
    • Instruction ID: c33952a1da9fee7db54c620fa27335edb6b6f5a0ff2d731c33073cfe2704c20a
    • Opcode Fuzzy Hash: ca9a64fa7ef3f7e1f0473eb26cd18cb01f7521e43f7e3149dfdc5da56f964ee2
    • Instruction Fuzzy Hash: 250175B29097448FCB007F78A50632E7FF8EB46A95F05496DD48587611D7309414CFD3
    Function 6CBB332F Relevance: 12.0, Strings: 9, Instructions: 757COMMON
    Download Yara Rule
    Strings
    • !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 6CBB36FF
    • 4, xrefs: 6CBB3D0E
    • mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 6CBB3D05
    • p, xrefs: 6CBB3D5E
    • malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty, xrefs: 6CBB3D1B
    • malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo, xrefs: 6CBB3D31
    • 3-, xrefs: 6CBB3D58
    • 2, xrefs: 6CBB3D50
    • mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential, xrefs: 6CBB3D47
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$2$4$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo$malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $3-$p
    • API String ID: 0-234616912
    • Opcode ID: fd0b55d6f1092db35a9ab7dd9a527df5139fe323a9a811ec934031afd4f4b525
    • Instruction ID: c380d250eb8306d42327688ed7566ba85d504f1366072fa09622a54264556d60
    • Opcode Fuzzy Hash: fd0b55d6f1092db35a9ab7dd9a527df5139fe323a9a811ec934031afd4f4b525
    • Instruction Fuzzy Hash: A762CD746087918FC704CF69C09062ABBF1FF89718F14896DE8999B792DB35E849CF42
    Function 6CBCCEF0 Relevance: 10.8, Strings: 8, Instructions: 756COMMON
    Download Yara Rule
    Strings
    • invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa, xrefs: 6CBCD663
    • pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps, xrefs: 6CBCD785
    • !, xrefs: 6CBCD0EC
    • invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p, xrefs: 6CBCCF75, 6CBCD068, 6CBCD138, 6CBCD6F4, 6CBCD816, 6CBCD8A7, 6CBCD938, 6CBCD9CD
    • y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KS, xrefs: 6CBCD1C5
    • $, xrefs: 6CBCD66D
    • v, xrefs: 6CBCD025
    • n, xrefs: 6CBCD1B1
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$$$invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa$invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p$n$pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps$v$y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KS
    • API String ID: 0-3686076665
    • Opcode ID: eff7b679ffb1a7c5643bc116bb8f5deb7ec9598e3400615a8a0e79d21cc2572a
    • Instruction ID: 913d0161b863f6948fceebfb8cc4e9e7a97f47e344a1d591a22db9e0250052d5
    • Opcode Fuzzy Hash: eff7b679ffb1a7c5643bc116bb8f5deb7ec9598e3400615a8a0e79d21cc2572a
    • Instruction Fuzzy Hash: 777257B4A483858FC714DF29D18069AFBF1BB89704F548A2DE99887740DB74E948CF93
    Function 6CBD2560 Relevance: 10.5, Strings: 7, Instructions: 1779COMMON
    Download Yara Rule
    Strings
    • )]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+, xrefs: 6CBD3BE4, 6CBD3EAF, 6CBD3FF3, 6CBD42D5
    • 0, xrefs: 6CBD3344
    • %!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutinecopystac, xrefs: 6CBD3FD9, 6CBD42BB
    • %!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamec, xrefs: 6CBD3BCA, 6CBD3E95
    • 0, xrefs: 6CBD30B1
    • 0, xrefs: 6CBD3267
    • 0, xrefs: 6CBD3150
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: %!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutinecopystac$%!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamec$)]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+$0$0$0$0
    • API String ID: 0-3084215349
    • Opcode ID: 34e772e3011c23b9c044d3eb384defe6353de48de4651c6d91bf0e8a4eb3ec46
    • Instruction ID: 58656ca0f73a01877b0b4a7ff6c0d90a3e9b9c93827041ae77e0224608a370c0
    • Opcode Fuzzy Hash: 34e772e3011c23b9c044d3eb384defe6353de48de4651c6d91bf0e8a4eb3ec46
    • Instruction Fuzzy Hash: C703E174A093828FC328CF19C09069EFBE1BFC9314F15892EE99997751D770A949CB93
    Function 6CBA5ED0 Relevance: 10.5, Strings: 8, Instructions: 512COMMON
    Download Yara Rule
    Strings
    • non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard , xrefs: 6CBA66C5
    • fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit, xrefs: 6CBA6539
    • pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace, xrefs: 6CBA6593
    • , xrefs: 6CBA6031
    • :(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I, xrefs: 6CBA63FD
    • sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us, xrefs: 6CBA6566
    • , xrefs: 6CBA6039
    • (1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID, xrefs: 6CBA6320
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $ fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit$ pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace$ sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us$(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID$:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I$non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard
    • API String ID: 0-3830612415
    • Opcode ID: 7c44b13a3dfd93d94907aabed2d4ca419ffc9e8876a8345360c416397411475d
    • Instruction ID: e5159d105761bc6db08abf13cc9f9e1192b13742a8097d7641715cc481a5486b
    • Opcode Fuzzy Hash: 7c44b13a3dfd93d94907aabed2d4ca419ffc9e8876a8345360c416397411475d
    • Instruction Fuzzy Hash: BF32C2B460D7818FC364DFA9C18079EBBE1EF89708F05896EE8D897751DB3098498B52
    Function 6CB81A70 Relevance: 8.9, Strings: 7, Instructions: 116COMMON
    Download Yara Rule
    Strings
    • &, xrefs: 6CB81C3D
    • winmm.dll, xrefs: 6CB81AF3
    • timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 6CB81C0D
    • runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta, xrefs: 6CB81BD9
    • timeEndPeriod, xrefs: 6CB81B73
    • runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co, xrefs: 6CB81C34
    • timeBeginPeriod, xrefs: 6CB81B29
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: &$runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta$runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co$timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$timeBeginPeriod$timeEndPeriod$winmm.dll
    • API String ID: 0-424793872
    • Opcode ID: 6cd72d2f9974c565f9925bcc64c88803e9fbb4c9886cacf84b3e25b619bf6c98
    • Instruction ID: 6ee16d947bb482f1210de6e990e14365f727fa169b282650478b61966bf9f2a1
    • Opcode Fuzzy Hash: 6cd72d2f9974c565f9925bcc64c88803e9fbb4c9886cacf84b3e25b619bf6c98
    • Instruction Fuzzy Hash: CD51C6B060A7819FDB04EF64C19475EBBF0BB49748F10881DE4A897B40DB75E848CF62
    Function 6CBE5B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessagefprintf
    • String ID: Erro: %s
    • API String ID: 659079672-2412703935
    • Opcode ID: 5135471a81731b8b1f5ef4117346fd761dd26a0f636cafd8b24e894d31e6873f
    • Instruction ID: 8ce99fdb503df306dcfc4b304e43ad341600506f4fb75f45c36341bf3deeaf4e
    • Opcode Fuzzy Hash: 5135471a81731b8b1f5ef4117346fd761dd26a0f636cafd8b24e894d31e6873f
    • Instruction Fuzzy Hash: A6019DB05083019FD700AFA9C58931EBBF0AB88749F00895DE8D897251E7B986488F97
    Function 6CB8CF90 Relevance: 8.6, Strings: 6, Instructions: 1093COMMON
    Download Yara Rule
    Strings
    • global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz, xrefs: 6CB8E093
    • !, xrefs: 6CB8E0DE
    • findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina, xrefs: 6CB8E0BF
    • findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r, xrefs: 6CB8E0D5
    • findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a, xrefs: 6CB8E0A9
    • findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi, xrefs: 6CB8E0EB
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz
    • API String ID: 0-3518981815
    • Opcode ID: 40a5fa9f7647cea6cd525c7f376213580d77cadd6ebf2f0319f79e3319a4b77f
    • Instruction ID: 44fadfab58731d79281a3130205a5cdbdbedaab15a3ab0ee19d6c665df042300
    • Opcode Fuzzy Hash: 40a5fa9f7647cea6cd525c7f376213580d77cadd6ebf2f0319f79e3319a4b77f
    • Instruction Fuzzy Hash: 56A2D27460A7819FD714DF69D090B9EBBF0BF8A744F04892EE8D887790E7359848CB52
    Function 6CB811F0 Relevance: 7.6, Strings: 6, Instructions: 133COMMON
    Download Yara Rule
    Strings
    • runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe, xrefs: 6CB813C4
    • runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not , xrefs: 6CB81417
    • runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar, xrefs: 6CB81369
    • 5, xrefs: 6CB81420
    • d, xrefs: 6CB81276
    • runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy, xrefs: 6CB8139D, 6CB813F8, 6CB8144B
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 5$d$runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar$runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not $runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe$runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy
    • API String ID: 0-2414937731
    • Opcode ID: f65b03aa8f4b365eb035430d4cc42548394bf5b17f8132c25d09f965cd8b43de
    • Instruction ID: 24775549affcbf2e3487683f2d8b97b2fef21a43dcdca05dcf48c2a0359e1b3c
    • Opcode Fuzzy Hash: f65b03aa8f4b365eb035430d4cc42548394bf5b17f8132c25d09f965cd8b43de
    • Instruction Fuzzy Hash: 7451CFB421A7809FD740EF68C194B9EBBF4BB88748F04882DE49897B50DB749948CF53
    Function 6CBE6250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6CBE6289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CB513B9), ref: 6CBE629A
    • GetCurrentThreadId.KERNEL32 ref: 6CBE62A2
    • GetTickCount.KERNEL32 ref: 6CBE62AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CB513B9), ref: 6CBE62B9
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: f33daaf4d60933f021a63d4f31720b00391515b882db4d6cd685b3ea60cc3f05
    • Instruction ID: 7a7a5bde5f39fbd238080686cd424188d41e899dac8f682cec98d2e7d35fae4a
    • Opcode Fuzzy Hash: f33daaf4d60933f021a63d4f31720b00391515b882db4d6cd685b3ea60cc3f05
    • Instruction Fuzzy Hash: DF1136B5A052408BDB00DFB9E48854BBBF4FB89AA4F050D3AE544C7600EB35D8488BD3
    Function 6CBE6300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6CBE634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6CBE635F
    • GetCurrentProcess.KERNEL32 ref: 6CBE6368
    • TerminateProcess.KERNEL32 ref: 6CBE6379
    • abort.MSVCRT ref: 6CBE6382
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: ac61816e2efee12c4ee7add99035d5d9f6a5530aa52f43f6497c348bd6ff865b
    • Instruction ID: d027d77116f37c652041d982a6a9aa9876bda725ba58427bdd230c9c04d40c8b
    • Opcode Fuzzy Hash: ac61816e2efee12c4ee7add99035d5d9f6a5530aa52f43f6497c348bd6ff865b
    • Instruction Fuzzy Hash: F71113B5A04245CFCB00EFA9C14962EBBF0FB4A744F00896DE988C7350E77499448F9B
    Function 6CB71440 Relevance: 5.5, Strings: 4, Instructions: 494COMMON
    Download Yara Rule
    Strings
    • runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti, xrefs: 6CB7198C, 6CB719DB
    • min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW, xrefs: 6CB719C0
    • !, xrefs: 6CB71A18
    • min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce, xrefs: 6CB71A0F
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce$min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW$runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti
    • API String ID: 0-967014423
    • Opcode ID: b79dc282a5a76dddfebabeb05c553d4524d08030ccb2ef69deff8b5aa0f40f21
    • Instruction ID: 7baf22b2a817a6715b6211219c464cee9315e07586def05c2d005e2171e3fa65
    • Opcode Fuzzy Hash: b79dc282a5a76dddfebabeb05c553d4524d08030ccb2ef69deff8b5aa0f40f21
    • Instruction Fuzzy Hash: A4F1E2726093654FD314DE98C4D064EB7E2EBC4308F18863CDCA897781EB75E809C7A2
    Function 6CB8A320 Relevance: 5.4, Strings: 4, Instructions: 352COMMON
    Download Yara Rule
    Strings
    • stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a , xrefs: 6CB8A843
    • stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl, xrefs: 6CB8A690
    • stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many, xrefs: 6CB8A7B0
    • stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met, xrefs: 6CB8A7EB
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met$stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a $stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many$stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl
    • API String ID: 0-2039697367
    • Opcode ID: e4ff2ecbee66835c56576c3b7b728915f491c86a832a14756913150e297114d4
    • Instruction ID: 326f97c8156924a0285e74f80540a21ce69ce019fc47be4e1e63c7941a7bce11
    • Opcode Fuzzy Hash: e4ff2ecbee66835c56576c3b7b728915f491c86a832a14756913150e297114d4
    • Instruction Fuzzy Hash: 88F1D27460A3808FC708CF69C1906AAFBF1FB89704F54896EE99897751DB70E945CF42
    Function 6CBE4E50 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: c5da66694787a0f016c2417ee311d5780ef41c3e0144037afb49321659982660
    • Instruction ID: 7880b2967952bfe33cc30537244c934a7021689c4f4da42a35b80040d6030171
    • Opcode Fuzzy Hash: c5da66694787a0f016c2417ee311d5780ef41c3e0144037afb49321659982660
    • Instruction Fuzzy Hash: CC21D2B56056408BDB04DF69D1C461ABBF5FF88A48F15C9ACE8898B70AD734D849CF82
    Function 6CB81830 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$'$PowerRegisterSuspendResumeNotification$powrprof.dll
    • API String ID: 0-4026319467
    • Opcode ID: 554a61a71418023dfc0f22880a63fb9c631398d26f92bb1a1ce86eda22cbe55e
    • Instruction ID: 5f53a6cde412a0b3d656a6b327a1d8dee14b4ee8eb1edbebc5af43701b6c9607
    • Opcode Fuzzy Hash: 554a61a71418023dfc0f22880a63fb9c631398d26f92bb1a1ce86eda22cbe55e
    • Instruction Fuzzy Hash: AC21D2B460A342DFD704CF25C08065ABBF0BB89748F44881EE49887750E739DA89CF83
    Function 6CB96470 Relevance: 4.2, Strings: 3, Instructions: 451COMMON
    Download Yara Rule
    Strings
    • runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add, xrefs: 6CB969D7
    • <, xrefs: 6CB96A0D
    • runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern, xrefs: 6CB96A04
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: <$runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add$runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern
    • API String ID: 0-450027851
    • Opcode ID: 5b2e9c781d0ee9c77dd517030ed4a2f9cdf52f0415afe21b212a44c42add76d6
    • Instruction ID: 516bd4e7868d2cf597d977cc6b1394a445471f3bc63b7b80f5baa6e6b0203db9
    • Opcode Fuzzy Hash: 5b2e9c781d0ee9c77dd517030ed4a2f9cdf52f0415afe21b212a44c42add76d6
    • Instruction Fuzzy Hash: BE027970A087858FC754DF29C19061EBBE2FFC9704F54892DE9988B750EB71E845CB82
    Function 6CB86010 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
    Download Yara Rule
    Strings
    • suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support, xrefs: 6CB864A3
    • ', xrefs: 6CB864AC
    • invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro, xrefs: 6CB8648D
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support
    • API String ID: 0-3278438963
    • Opcode ID: 4c6ca98964c0bb4505dd91239367cc422c4d93942afc12cde7cbc876ec86269c
    • Instruction ID: d3f146d6f6e0cb48c42bdd1252aad29362e30112a59af3c7024f752274584564
    • Opcode Fuzzy Hash: 4c6ca98964c0bb4505dd91239367cc422c4d93942afc12cde7cbc876ec86269c
    • Instruction Fuzzy Hash: 32D1107460E3918BC704DF29C09065EBBF2AF8A708F44486DE9D59BB52D735E944CB43
    Function 6CB76630 Relevance: 3.0, Strings: 2, Instructions: 499COMMON
    Download Yara Rule
    Strings
    • +, xrefs: 6CB76D57
    • grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 6CB76D4E
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: +$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
    • API String ID: 0-3347251187
    • Opcode ID: 31669f8192e2b2138f448c0486c2ba5a9e648acc492841d02193b07073bca187
    • Instruction ID: 88c2775a09d09932d13d470d32e2ea94961d7282d599473fc80a3bb1ee903b5d
    • Opcode Fuzzy Hash: 31669f8192e2b2138f448c0486c2ba5a9e648acc492841d02193b07073bca187
    • Instruction Fuzzy Hash: A222EE746093818FC764DF68C190A6EBBF1BF89744F14892DE8E987750EB35E8488B52
    Function 6CB7B2D0 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
    Download Yara Rule
    Strings
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CB7B60F
    • @, xrefs: 6CB7B4FB
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
    • API String ID: 0-1191861649
    • Opcode ID: dc97799921e27fa8e235696811e536d8199470464bc01349030ad7749cc5acac
    • Instruction ID: 83d60e7cb192889859ed7c15f7c667b1793de66e93525872ca6acd14ca4dda26
    • Opcode Fuzzy Hash: dc97799921e27fa8e235696811e536d8199470464bc01349030ad7749cc5acac
    • Instruction Fuzzy Hash: 35A1D2756087098FD714DF18C88055EB7E1FFC8314F448A2DE9A99B751DB34E94ACB82
    Function 6CBBA872 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $@
    • API String ID: 0-1077428164
    • Opcode ID: 67919e10c4ef777f575e559a4d55bd88edc5add9cfcfefa74848565ceeca84bb
    • Instruction ID: c4832b8d9e5d72766dbfb500a939026cc14315a3b930276c2fbf9c131d12571c
    • Opcode Fuzzy Hash: 67919e10c4ef777f575e559a4d55bd88edc5add9cfcfefa74848565ceeca84bb
    • Instruction Fuzzy Hash: E4517624C1DF9B65E63307BDC4026667B206EB3144B01D76FFDD6B58B2EB136940BA22
    Function 6CB6CEC0 Relevance: 2.6, Strings: 2, Instructions: 88COMMON
    Download Yara Rule
    Strings
    • ,, xrefs: 6CB6CFAA
    • gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu, xrefs: 6CB6CFA1
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu
    • API String ID: 0-27675022
    • Opcode ID: f357746cb77ce9f3a8877c0a0a4c772546c59baf51a8974153046fb4139a0749
    • Instruction ID: eb0c4922d53a59ec7b9bc90e3d29da0dec269b681764844bd178990dfb78c426
    • Opcode Fuzzy Hash: f357746cb77ce9f3a8877c0a0a4c772546c59baf51a8974153046fb4139a0749
    • Instruction Fuzzy Hash: DE318F75B493968FD305DF14C480A59B7F1BB86608F0981BDDC885F783CB31A84ACB86
    Function 6CBD59D0 Relevance: 1.9, Strings: 1, Instructions: 607COMMON
    Download Yara Rule
    Strings
    • ,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too largeHolderSpecialist0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O e, xrefs: 6CBD5B6E
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too largeHolderSpecialist0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O e
    • API String ID: 0-1633219435
    • Opcode ID: 9764c5e04d7f2dfd54826e6e5e94b5bfacf9b310aec2a24bf0317e4a32d1d623
    • Instruction ID: 2630043709b3bf177c7bbe4dca3459c0fa5fbb5744bc7b4c7b49f567ee287c6f
    • Opcode Fuzzy Hash: 9764c5e04d7f2dfd54826e6e5e94b5bfacf9b310aec2a24bf0317e4a32d1d623
    • Instruction Fuzzy Hash: B652F5B5A083858FD334CF19C5503DEBBE1ABD5308F45892DD9D897381EBB5A9488B83
    Function 6CBA8570 Relevance: 1.8, Strings: 1, Instructions: 543COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 4
    • API String ID: 0-4088798008
    • Opcode ID: aefec0e4f88fe00ca8161542772874d51a2d76b443876462f27deb36531bf1c6
    • Instruction ID: 71bb276eea078d8927dcad6fb892051b694eb3c3ab1b9739a9d112f8dd0536f9
    • Opcode Fuzzy Hash: aefec0e4f88fe00ca8161542772874d51a2d76b443876462f27deb36531bf1c6
    • Instruction Fuzzy Hash: 60228F7560D3C58BC724DE98C4C465EB7E1EFC9304F548A2ED9D98BB51DB32A806CB82
    Function 6CB60AF0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
    Download Yara Rule
    Strings
    • span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor, xrefs: 6CB60D52
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor
    • API String ID: 0-1712010102
    • Opcode ID: 15cc647568cb6f4904c19375521955a2a8f968a4d75741ffd9c52276498c3253
    • Instruction ID: 88467cef7fcd22e91b17c52ba6d82e473b66d919b6ba1dc9128fe54c8ddd0a1a
    • Opcode Fuzzy Hash: 15cc647568cb6f4904c19375521955a2a8f968a4d75741ffd9c52276498c3253
    • Instruction Fuzzy Hash: E8D122706093859FC744DF2AD09066EBBE0FF89708F40896EE8D987B40E735D949CB56
    Function 6CB7D040 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
    Download Yara Rule
    Strings
    • runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin, xrefs: 6CB7D3CB
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin
    • API String ID: 0-429552053
    • Opcode ID: e594bbdb0e823adf280d2739aef73b324ff566dfd4de8c1f398c9de2c00eb37e
    • Instruction ID: 7ef6d149ee574f8bb3e1b0090bd58bfa835bedf7f1e61b5adc35ea92c5ae401b
    • Opcode Fuzzy Hash: e594bbdb0e823adf280d2739aef73b324ff566dfd4de8c1f398c9de2c00eb37e
    • Instruction Fuzzy Hash: 57B104746093859FC714DF68D08082EBBF1FB89398F55492DE8A497B50E730E949CFA2
    Function 6CBD95A0 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ;
    • API String ID: 0-1661535913
    • Opcode ID: 0f0f13b91af85168118484a1b350a65d2da51ad86c436d4b389b15c97a1694a9
    • Instruction ID: 903cbca3b9e03fef27ac01151cb7eb840bfd6390d4d3e79e514148cf0381d6c9
    • Opcode Fuzzy Hash: 0f0f13b91af85168118484a1b350a65d2da51ad86c436d4b389b15c97a1694a9
    • Instruction Fuzzy Hash: 6BA18271B083054FC70CDE6DD95131ABAE2ABC8304F09CA3DE589DB7A4E635D9098B86
    Function 6CB7A360 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: ebff9965ab1fec1daf3ecbbec0f391eddad46fca540729a5e2cb1ce177c422e1
    • Instruction ID: ab0c554c068788a2d0742ce78e56f5df8d40639c96b885e5b62fd79bac5a427a
    • Opcode Fuzzy Hash: ebff9965ab1fec1daf3ecbbec0f391eddad46fca540729a5e2cb1ce177c422e1
    • Instruction Fuzzy Hash: EF9133B5A093449FC394DF28C08065EBBE1FF88704F44992EE8A997741E734D989CF92
    Function 6CBCE740 Relevance: .9, Instructions: 941COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1acb070f3b10901e9c3d7abc31af8c146f42bdf19bde6a27c8c7fec131ecb1bc
    • Instruction ID: e08d260646cff8438a17ee5519d18611bdc090ae850b14d7235f3bea5242f4be
    • Opcode Fuzzy Hash: 1acb070f3b10901e9c3d7abc31af8c146f42bdf19bde6a27c8c7fec131ecb1bc
    • Instruction Fuzzy Hash: C3824775B08394CBC728CE5DC49169AF3F2BBDD300F55892ED9A993750EB70A905CB82
    Function 6CBD6C20 Relevance: .6, Instructions: 601COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 98f65a536ffb90c1d9854bcb6859c2de85bf820acc29fa1a39acee5b943ba762
    • Instruction ID: ecaa332fcfcb92d79a12ca74dc6c60e5dd63ce48502e405a5efab4f76f440092
    • Opcode Fuzzy Hash: 98f65a536ffb90c1d9854bcb6859c2de85bf820acc29fa1a39acee5b943ba762
    • Instruction Fuzzy Hash: 51227E75A0C7858FC724CE69C49039FF7E2FBC5304F56892DD98997744EBB1A8098B82
    Function 6CBD4D20 Relevance: .5, Instructions: 530COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8b341f25284bd0f3188eebe8c34f862549ff5a5d4ffa582f50c15d43568219f9
    • Instruction ID: f5e19591da752d8aae051e6850aa7759b620e0033c47ffa3f9be26c3ca7c7183
    • Opcode Fuzzy Hash: 8b341f25284bd0f3188eebe8c34f862549ff5a5d4ffa582f50c15d43568219f9
    • Instruction Fuzzy Hash: 70128772A087498FC314DE5DC98024AF7E6FBC4304F59CA3DD9589B755EB70B9098B82
    Function 6CB7C080 Relevance: .5, Instructions: 477COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 23c28a2bc3d4660f019efa6150f479b173f665cce348de38e919cbd951c74c76
    • Instruction ID: 3b9ce2332534b508832502b2014805abf6ee817d3b999e826ac5aa73a4e906db
    • Opcode Fuzzy Hash: 23c28a2bc3d4660f019efa6150f479b173f665cce348de38e919cbd951c74c76
    • Instruction Fuzzy Hash: C2E10333B497594BD328ADAD88C025EB2D2ABC8344F19873CDD649B780FA75DD0A87D1
    Function 6CBABC20 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a3a4368374ddb729e295655801fc73b60514d7dd8449835f4f00c4faf01ab3ac
    • Instruction ID: acab6e50f17fb3404ce5aa754351bdd359b26b6ca09be193027e23f6f1fc8c15
    • Opcode Fuzzy Hash: a3a4368374ddb729e295655801fc73b60514d7dd8449835f4f00c4faf01ab3ac
    • Instruction Fuzzy Hash: BB027F7560C3968FD324DEA8C48066EB7E1FF89304F548A2DE9D99B751D731E806CB82
    Function 6CB7BB10 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9c89d4ee22b40a7e26a285dbcddc79137d34df9a2ba8b7139ff7f6f34a5111ce
    • Instruction ID: bbf602bc95c1dbc243e71c3d41ebc21ce2020f7288831d1f9c7e58330ed3cf76
    • Opcode Fuzzy Hash: 9c89d4ee22b40a7e26a285dbcddc79137d34df9a2ba8b7139ff7f6f34a5111ce
    • Instruction Fuzzy Hash: 4CE1C533E2472507D3149E58CC80249B6D3ABC8670F4EC72DEDA5AB781E9B4ED5987C2
    Function 6CBD6740 Relevance: .4, Instructions: 408COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c6f0f3c5112b2cc7a4c6dee257237781fb0c808d9b81630d7d4671431daa1976
    • Instruction ID: a12867dc60009b83eb7444f52e663bb98dff86406b9e6e38540620c545de96a8
    • Opcode Fuzzy Hash: c6f0f3c5112b2cc7a4c6dee257237781fb0c808d9b81630d7d4671431daa1976
    • Instruction Fuzzy Hash: F1E1A272A4D3954BC309CF29849031FFBE2ABC5704F468D6DE895CB741E775A909CB82
    Function 6CB680A0 Relevance: .4, Instructions: 378COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c16d03ebd0a1f9fcd6798473202ba03e8507311284676debea6c0be84391dd60
    • Instruction ID: 13b98e05c69f30a1674c134ae9038f2cde1556094cebd805f9b0a751bc197195
    • Opcode Fuzzy Hash: c16d03ebd0a1f9fcd6798473202ba03e8507311284676debea6c0be84391dd60
    • Instruction Fuzzy Hash: 33C1E432B083554FC708DE6DC89061EB7E2ABC8304F49863DE859DB7A5E775ED068782
    Function 6CBAD6E0 Relevance: .4, Instructions: 368COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f330510f01f9b8b4e3ef887e0d8797b4be7bb9d278638916eae8c4fe152dd654
    • Instruction ID: 37d7bd27d371740194c94c12830baef32db42f6583f3ad23d4aa4f938c7bfc59
    • Opcode Fuzzy Hash: f330510f01f9b8b4e3ef887e0d8797b4be7bb9d278638916eae8c4fe152dd654
    • Instruction Fuzzy Hash: 71E18F7160D3968FC314DFA8C48096EFBE1EF89304F444A6DE8959B792D730D946CB92
    Function 6CB8E240 Relevance: .3, Instructions: 331COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0896f9da4ad0460d417df1ac221c059ff0d4ec0b581e37ca9d07b53308b5215d
    • Instruction ID: d730b6f6d0c154f44bd13e954979eb17769d7bbd0b64d58acd5942aafe145eb3
    • Opcode Fuzzy Hash: 0896f9da4ad0460d417df1ac221c059ff0d4ec0b581e37ca9d07b53308b5215d
    • Instruction Fuzzy Hash: 3BF1C07860D7D18FC364CF29C090B5EBBE2BBCA204F54892EE9D887751DB31A845CB52
    Function 6CBE2E70 Relevance: .3, Instructions: 286COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6e1d66189148ae3b9bd99c56ffddcea8b8c1bff481e2a2edd10003ad934ee83b
    • Instruction ID: 1f33bb2659ad3562eed7703b1e4ebe50a0ee073d3f31f761e47074f6f9f74038
    • Opcode Fuzzy Hash: 6e1d66189148ae3b9bd99c56ffddcea8b8c1bff481e2a2edd10003ad934ee83b
    • Instruction Fuzzy Hash: 9CC1527060432A4FC251CE5EDCC096A73D1AB4821DF91866D9644CF7C3DA3AF46B97A4
    Function 6CBE3230 Relevance: .3, Instructions: 286COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 26ba68b232f57b35a6e61b86c7c0b039b7bfc368145728a172571b18e4115917
    • Instruction ID: 07d487d60aa5d67a4f61c3e4f1aeb363c5dadc187c0e4b991f5879d8599cdf05
    • Opcode Fuzzy Hash: 26ba68b232f57b35a6e61b86c7c0b039b7bfc368145728a172571b18e4115917
    • Instruction Fuzzy Hash: 78C1527060432A4FC251CE5EDCC0A6A73D1AB4821DF91866D9644CF7C3DA3AF46B97A4
    Function 6CB7C6D0 Relevance: .3, Instructions: 285COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fa7a343db167c9f06d0318e80380e1f27d55343f2b0040592449d79c46cf1b6a
    • Instruction ID: 06360f55a3b7f9cb61921934831b9d8d6b0a0809fc43a3c8d1bcf16e3247bd3d
    • Opcode Fuzzy Hash: fa7a343db167c9f06d0318e80380e1f27d55343f2b0040592449d79c46cf1b6a
    • Instruction Fuzzy Hash: 269130326097594FC329EE99C4D051EB3E2EBC8348F18873CDD790B780EB75A9098792
    Function 6CB7CA30 Relevance: .3, Instructions: 281COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: af57e252bd1c704dc4ff426df57ce80ebf173c52fd3009f51a051acd7b985f31
    • Instruction ID: 782d518b91ab65df69bc050fd6556b4e180831c6e882b094962722915f795091
    • Opcode Fuzzy Hash: af57e252bd1c704dc4ff426df57ce80ebf173c52fd3009f51a051acd7b985f31
    • Instruction Fuzzy Hash: D2812137A497790FD721EDA988C024E3292EBC8318F19463CDC349B7C5EB74990583D2
    Function 6CB7AD50 Relevance: .3, Instructions: 276COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9d246524778a9eb08106c653b064c8dc2f3f0e00c5f9753ba56cadae07aa74da
    • Instruction ID: 0f224f47412489d74c4702cfd04e0e18eb9459382fe3e0fcb1ce635f1bbecc46
    • Opcode Fuzzy Hash: 9d246524778a9eb08106c653b064c8dc2f3f0e00c5f9753ba56cadae07aa74da
    • Instruction Fuzzy Hash: 3791C876A187184BD314DE59CCC0259B3D2BBC8724F49C63CECA897745E674EE49CB82
    Function 6CB532A0 Relevance: .2, Instructions: 219COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 123d8f6fd1ba29e3963eb558e4a815081ebe397c7f586addf2455043b39e47a5
    • Instruction ID: 41d64185b5b9fa9fc6709fa80a3cd9010e2192c580ddf8a36dd9e675337615a0
    • Opcode Fuzzy Hash: 123d8f6fd1ba29e3963eb558e4a815081ebe397c7f586addf2455043b39e47a5
    • Instruction Fuzzy Hash: 9F81F8B2A183508FC314DF29D88095AF7E2BFC8748F46892DF988D7711E771E9158B86
    Function 6CB79030 Relevance: .2, Instructions: 193COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8ecd0ad4dfabb2bdbd2ce24c494fd4dbdb435406a697aa6508877f67b2c743db
    • Instruction ID: 9e65caee7543691698c30f2a5895de3b4b764ce2653a616eefe0e16a00114485
    • Opcode Fuzzy Hash: 8ecd0ad4dfabb2bdbd2ce24c494fd4dbdb435406a697aa6508877f67b2c743db
    • Instruction Fuzzy Hash: DE91BEB49093459FC318DF28C190A1ABBF1FF89748F108A6EE8A997751D730E945CF46
    Function 6CB52CA6 Relevance: .2, Instructions: 161COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aaac1fa95927537056fa748d1ed80cb4c36531cfe69fe86e380ee050db7f54d2
    • Instruction ID: 2aefe3250d3aa3bf3951fe79791935f9991e0dfcb6c4353ad06f2005d0479373
    • Opcode Fuzzy Hash: aaac1fa95927537056fa748d1ed80cb4c36531cfe69fe86e380ee050db7f54d2
    • Instruction Fuzzy Hash: 3251753090C3A44AE3158F6F48D402EFFE1AFC6301F884A6EF5E453392D5B89515DBAA
    Function 6CB52CA0 Relevance: .2, Instructions: 160COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3e464837ce5362b6e05f54d4f4561b9c2ba5837c23aed368a9c0dc9bc624124d
    • Instruction ID: 6b228674cb58f700db5ead41c73a4464678fb25a56c1e76f9c1d3e58185cd338
    • Opcode Fuzzy Hash: 3e464837ce5362b6e05f54d4f4561b9c2ba5837c23aed368a9c0dc9bc624124d
    • Instruction Fuzzy Hash: B351557090C3A44AE3158F6F48D402AFFF1ABC6301F884A6EF5E453392D5B89515DB6A
    Function 6CB7D9C5 Relevance: .1, Instructions: 134COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e04a7fa6b98408948a902c9483ab37480538fe698dca20da7d1411f6384bbfdb
    • Instruction ID: 0e5069b397d042890998caaadb7bcfa468775204c63330b4e74fd6cdca10e31e
    • Opcode Fuzzy Hash: e04a7fa6b98408948a902c9483ab37480538fe698dca20da7d1411f6384bbfdb
    • Instruction Fuzzy Hash: F051697560A3229FC718DF69C490A1AB7E0FB88644F05867CDD599B391D731E846CBC2
    Function 6CB5BE90 Relevance: .1, Instructions: 116COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b6cb0d888adaf8c31012b2dbfd52b67501fdd5b084b83f43a10620d73a9929ef
    • Instruction ID: d9303e15b414710b45d50127ac68db0cabb94c1bc56a82c31fab0fcfcb3e92ce
    • Opcode Fuzzy Hash: b6cb0d888adaf8c31012b2dbfd52b67501fdd5b084b83f43a10620d73a9929ef
    • Instruction Fuzzy Hash: E8419471908F448FC346EE79C49021AB3E6FFCA384F54872DE9496B751EB319856CB42
    Function 6CB5FBC0 Relevance: .1, Instructions: 97COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 512da7a2d3584f88caba566155e613a4ecc4cfa11d04f97ea488db86b5ec91bc
    • Instruction ID: 19e10ee20bb604f99b901ce1896c008e38cae512ed39eb7acb296bf654bf3636
    • Opcode Fuzzy Hash: 512da7a2d3584f88caba566155e613a4ecc4cfa11d04f97ea488db86b5ec91bc
    • Instruction Fuzzy Hash: 63316FB391975D8BD300AF498C40149F7E2ABC0B20F5E8A5ED9A417701EBB0AA15CBC7
    Function 6CB590F0 Relevance: .1, Instructions: 76COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d349f38e7589dde9b9acf6b523f7b5cd74db834188c21a748cd82de001ef84ee
    • Instruction ID: 4bab0339c276f771454b4c558e2581a8248fe4f7b5b89327538931382bb6c6f7
    • Opcode Fuzzy Hash: d349f38e7589dde9b9acf6b523f7b5cd74db834188c21a748cd82de001ef84ee
    • Instruction Fuzzy Hash: 3A21C571B442918BD70CCF39C8D0126B7F3EBCA710B99856CD545CBB64DA34A81ACB56
    Function 6CB81C90 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: db8d3290e5a0c8f514fe90c804c0c4cd2cdc731d12cfe60a0448dd2f3ae831ed
    • Instruction ID: 8f68910fb6adc5bd4e22c5865ced672ecf665740fbe749a1dc96bdaa6b2342fc
    • Opcode Fuzzy Hash: db8d3290e5a0c8f514fe90c804c0c4cd2cdc731d12cfe60a0448dd2f3ae831ed
    • Instruction Fuzzy Hash: 09118F7060A7808FC709CF20C0A0BA9B7F1FF86708F48489CE4955BB91D775A849CF42
    Function 6CBB7280 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e29cec73a23504dcbe130ebb7361088278f606c592712da7ee492fbf5544d434
    • Instruction ID: efe8ee1d64147eb653c728a1b073c9c66c7cfb7d69e41b8713fdd5201f986546
    • Opcode Fuzzy Hash: e29cec73a23504dcbe130ebb7361088278f606c592712da7ee492fbf5544d434
    • Instruction Fuzzy Hash: 5D11DBB4700B118FD398DF99C0D4A65B3E1FB8C200B4A81FDDA0A8B766C670AC55DB85
    Function 6CBBC0C0 Relevance: .0, Instructions: 10COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4772290dba760387b77aa896517d62538f9ab25e60a99cfe6875635d3f5a667b
    • Instruction ID: 63e2d0bc7961749999d98ade711ba52faa723f399d71be8a62bd091a359c0eaf
    • Opcode Fuzzy Hash: 4772290dba760387b77aa896517d62538f9ab25e60a99cfe6875635d3f5a667b
    • Instruction Fuzzy Hash: 69C08CB080A3929DF700CB1C8100316BEE48B81300FC0C089A58C82600C67481805729
    Function 6CBE64A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • Address %p has no image-section, xrefs: 6CBE65DB
    • VirtualProtect failed with code 0x%x, xrefs: 6CBE659A
    • @, xrefs: 6CBE6578
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6CBE65C7
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: e790a68668d57a857aa52dac69122e55cf7fde518fbe65c0f4ad86a2f1013310
    • Instruction ID: 2d2005421c4370905617d30f301e1c721970b68f9ef58c33830c4641796a5903
    • Opcode Fuzzy Hash: e790a68668d57a857aa52dac69122e55cf7fde518fbe65c0f4ad86a2f1013310
    • Instruction Fuzzy Hash: 10419CB2A053458FC700DFA9D48464AFBF0FF89794F058A6DD9989B714E330E845CB92
    Function 6CBE4AF0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: d6ccba0d6b99a7328f0a35753acf5870cf43cb6e0394d6d9262dafe924a60161
    • Instruction ID: 00346175892578753bf268d001dc5bcb1b54db6150e4dc78055d261439c7d325
    • Opcode Fuzzy Hash: d6ccba0d6b99a7328f0a35753acf5870cf43cb6e0394d6d9262dafe924a60161
    • Instruction Fuzzy Hash: D151BC766083548FC700DFA9D48029AB7E5FBCCB84F05892EE998D7700E775D94A8F92
    Function 6CBE5CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6CBE5CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CBE5D89), ref: 6CBE5CEB
    • fwrite.MSVCRT ref: 6CBE5D20
    • abort.MSVCRT ref: 6CBE5D25
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6CBE5D19
    • =, xrefs: 6CBE5D05
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: 9365a7f339a8f17f434fb4b699b0df2678811998973c74e015fdf9e16211000b
    • Instruction ID: 1fbbc289d289b2e2a8a1e7f0adddf0879ea85997d07bb30ded63633a41378dbf
    • Opcode Fuzzy Hash: 9365a7f339a8f17f434fb4b699b0df2678811998973c74e015fdf9e16211000b
    • Instruction Fuzzy Hash: 1DF037B05043419FE700BFA8C50935EBBF0FF45788F91885CE8989A241EBB98048CF93
    Function 6CB51020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CB512E0,?,?,?,?,?,?,6CB513A3), ref: 6CB51057
    • _amsg_exit.MSVCRT ref: 6CB51085
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: 51d2df502fcf293f3baed3f8c42fe2a8902caa1cd1bba745526d162028dc3a2b
    • Instruction ID: 71ce76e5a91d90ea21f9f80d14d6d4ee9b53d10c5561823c599b7380d89483f2
    • Opcode Fuzzy Hash: 51d2df502fcf293f3baed3f8c42fe2a8902caa1cd1bba745526d162028dc3a2b
    • Instruction Fuzzy Hash: 9841D071708280CBEB01AFADC48170AB7F8EB92788F98456ED5449BB01D775C4A1CB93
    Function 6CBE4D00 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6CBE4D5F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CBE5BEF), ref: 6CBE4D9A
    • malloc.MSVCRT ref: 6CBE4DC8
    • qsort.MSVCRT ref: 6CBE4E16
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: 05ae486d4b75148c69cd93243deb239bb7161c6d6f71e313bc2fed11f0fbf753
    • Instruction ID: 7b6f55ccf770b3ef37e4cb43119b2cb05dd9d022dc77ed0288d4c2d2cb406071
    • Opcode Fuzzy Hash: 05ae486d4b75148c69cd93243deb239bb7161c6d6f71e313bc2fed11f0fbf753
    • Instruction Fuzzy Hash: B3416A756083508FD710DFA9D48061AB7F5FF88B54F15896DE88987B15E7B4E808CF82
    Function 6CBE5850 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: eb5c39a171df380040dd402b111cd37161be733423de0dad0ba1ec30d89cc2dd
    • Instruction ID: 8796d83c4ac81a42b935be7f6f5946a8f4ae485863e1570751da387c015fbc5b
    • Opcode Fuzzy Hash: eb5c39a171df380040dd402b111cd37161be733423de0dad0ba1ec30d89cc2dd
    • Instruction Fuzzy Hash: F021D574604244CBD700AB78C884A5677F4FF8D768F148928E4AACB380EB34E849CB57
    Function 6CBE70C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: e3ddfe3e83fcf7a506aae18b19df9c12766d5bc4e7906655191906719673ea60
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: E1118E701443418FE7009F68D88075A7BE4FF49B94F148A69E498EFB86EBB4D844CB53
    Function 6CBE5DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6CBE5E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CBE45D9), ref: 6CBE5E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CBE45D9), ref: 6CBE5E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CBE45D9), ref: 6CBE5E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CBE45D9), ref: 6CBE5E50
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 017f18dacdad26ef7a6a2c1bdc72e6089d25aac5d422c25ba17823c70cf99d43
    • Instruction ID: 828f5925fee7efa4e75fc14dba25598ede81d4ebff907474db3eebb3037de015
    • Opcode Fuzzy Hash: 017f18dacdad26ef7a6a2c1bdc72e6089d25aac5d422c25ba17823c70cf99d43
    • Instruction Fuzzy Hash: A60148B16083488FDA00BFB9998655EBBB8FF46750F91092DE89447250E731A468CBA7
    Function 6CBE7220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6CBE7248
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: e423c0db15ec53640bcbe403de1eee62201608018a887fc8a22ee17c40c0824b
    • Instruction ID: 749acb9f1c9dba12e3e0e69a775e292bab5b8eb2ec94f43ad2c856b2b7fb5933
    • Opcode Fuzzy Hash: e423c0db15ec53640bcbe403de1eee62201608018a887fc8a22ee17c40c0824b
    • Instruction Fuzzy Hash: 14E0C2B00083449FD300AF64C08529EBBE4AF89B88F418A1CE0C95BB52D7B884889B53
    Function 6CBE65F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CB512A5), ref: 6CBE6709
    Strings
    • Unknown pseudo relocation protocol version %d., xrefs: 6CBE6864
    • Unknown pseudo relocation bit size %d., xrefs: 6CBE6799
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: 1ce0097615bd6c9b86f0565fca283e9d44ad21e1e1397a3ee4ef780ac4fa5b56
    • Instruction ID: db58805572078def9446cab133ae7b6215392f89b22c2a2dbd7cca46022fff1e
    • Opcode Fuzzy Hash: 1ce0097615bd6c9b86f0565fca283e9d44ad21e1e1397a3ee4ef780ac4fa5b56
    • Instruction Fuzzy Hash: A161F571B0424D9FCB04DF69D4C068DB7B5FB89798F688669DA14DBB00E370E8468B82
    Function 6CBE5BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: bsearchfprintffwrite
    • String ID: $
    • API String ID: 1110293247-3993045852
    • Opcode ID: 0cd4cd3828a1acdd0f69a7438ad95e6411c8b0073284d0a12ceeb9401ab6b19e
    • Instruction ID: 49456ab27608e1cfc0e9d798c91ea41c5488d100386c84f0838c5339629cde44
    • Opcode Fuzzy Hash: 0cd4cd3828a1acdd0f69a7438ad95e6411c8b0073284d0a12ceeb9401ab6b19e
    • Instruction Fuzzy Hash: 870129B58093908FD740AF68D44925EFBE4EF4CB98F51892EE8C897741E3B88444CB93
    Function 6CBE6870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1450159267.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000004.00000002.1450135419.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450224814.000000006CBE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450245614.000000006CBE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450267388.000000006CBEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450287958.000000006CBEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450355060.000000006CC98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CC9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450376477.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450419040.000000006CCB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450438606.000000006CCBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450456521.000000006CCBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1450477572.000000006CCC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 5fb8a20b7aeb923e9acc83ebc8dba9765664197f567f55650453236d1b2f75a4
    • Instruction ID: ebec2f7b7a3626d15b1d07a48b39aa41c0d922a18d5228c515bbe9f109489748
    • Opcode Fuzzy Hash: 5fb8a20b7aeb923e9acc83ebc8dba9765664197f567f55650453236d1b2f75a4
    • Instruction Fuzzy Hash: 7CF0A476A006488FDB007FFDC48991A7BB4EA49B94B05066DDE44D7205E730A418CBE3

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:11
    Total number of Limit Nodes:1
    execution_graph 52778 6c86cea0 52779 6c86cec8 WriteFile 52778->52779 52780 6c86ceb9 52778->52780 52780->52779 52781 6c895fb0 52782 6c895fc7 _beginthread 52781->52782 52783 6c895fe1 _errno 52782->52783 52784 6c896012 52782->52784 52785 6c895fe8 _errno 52783->52785 52786 6c896020 Sleep 52783->52786 52788 6c895ff9 fprintf abort 52785->52788 52786->52782 52787 6c896034 52786->52787 52787->52785 52788->52784

    Executed Functions

    Function 6C895FB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6C895FF9
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabortfprintf
    • String ID: runtime: failed to create new OS thread (%d)
    • API String ID: 1261927973-3231778263
    • Opcode ID: 5241c19633d51a8d0119aa7449a16e02b2cb7223a942d498dc31b4732d341b4b
    • Instruction ID: 974a3aa711ac0b116e07a154ac00f9851ac6325537b0664bf1d13a712d446085
    • Opcode Fuzzy Hash: 5241c19633d51a8d0119aa7449a16e02b2cb7223a942d498dc31b4732d341b4b
    • Instruction Fuzzy Hash: 8C01ADB05083049FC7107F6ECA8852EBFB4EF86328F154A2DE58983790C7309444DBA3
    Function 6C86CEA0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 6c86cea0-6c86ceb7 9 6c86cec8-6c86cee0 WriteFile 8->9 10 6c86ceb9-6c86cec6 8->10 10->9
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: 891e36ee6d208984a47cfe19bfca10d92e8427e1f30c6a64f302852d6305fe68
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: CAE0E571505600CFCB15DF18C2C1306BBF1EB48A00F0489A8DE098FB4AD734ED10CB92

    Non-executed Functions

    Function 6C896300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6C89634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6C89635F
    • GetCurrentProcess.KERNEL32 ref: 6C896368
    • TerminateProcess.KERNEL32 ref: 6C896379
    • abort.MSVCRT ref: 6C896382
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: ae7ff02eba500b234258883210d4f7b574844f0b043d706d3a27606a3b19dc56
    • Instruction ID: 9d03cfd7d024f035ff98fe87e72044de79d06952399875c08a76830d8a628204
    • Opcode Fuzzy Hash: ae7ff02eba500b234258883210d4f7b574844f0b043d706d3a27606a3b19dc56
    • Instruction Fuzzy Hash: C91116B5A08241DFEB00EF6EC64562ABBF0BB46344F20892DE848C7390E7349944CF92
    Function 6C8962FC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6C89634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6C89635F
    • GetCurrentProcess.KERNEL32 ref: 6C896368
    • TerminateProcess.KERNEL32 ref: 6C896379
    • abort.MSVCRT ref: 6C896382
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: b7c6adccdd5018c990277fa64303b3fe49f9e6593e0f93f36835c67a392e11e3
    • Instruction ID: a5d6c57455501953f8df2e89f9c95ad8d4a36863fbc7c614cd39677fc726ad37
    • Opcode Fuzzy Hash: b7c6adccdd5018c990277fa64303b3fe49f9e6593e0f93f36835c67a392e11e3
    • Instruction Fuzzy Hash: 0911F3B5A09241DFEB00EF7EC6496297BF0BB06305F20892DE94897380E7749904CF92
    Function 6C895E79 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • unexpected cgo_bindm on Windows, xrefs: 6C895EA4
    • runtime: failed to signal runtime initialization complete., xrefs: 6C895F2C
    • ;, xrefs: 6C895F18
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabortfwrite$Event
    • String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
    • API String ID: 3057923235-924395932
    • Opcode ID: 3f6a105a60e6c1709b15534c799a660a68baa31c0ac505cace2f2b8f9b9cacd8
    • Instruction ID: 8077fed6874654092953285003ff13d4e8c4e58b7a4056b64f8be7e26afbf5d2
    • Opcode Fuzzy Hash: 3f6a105a60e6c1709b15534c799a660a68baa31c0ac505cace2f2b8f9b9cacd8
    • Instruction Fuzzy Hash: 3C11B8B1508340DFEB10BFBDC50A66EBFB0BB41304F51896DE88547A91D7769158CB93
    Function 6C8964A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • Address %p has no image-section, xrefs: 6C8965DB
    • @, xrefs: 6C896578
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6C8965C7
    • VirtualProtect failed with code 0x%x, xrefs: 6C89659A
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 2ca2133f5b8c3f225fd37d709783dc3119b1f2360bcba39a5d9f1cb780b46f59
    • Instruction ID: ed53dc536917cd419435581be066b8a08a38139a712ea460590ebdd5fbc247da
    • Opcode Fuzzy Hash: 2ca2133f5b8c3f225fd37d709783dc3119b1f2360bcba39a5d9f1cb780b46f59
    • Instruction Fuzzy Hash: CE418BB2A093018BDB50EF6AD58465AFBF0FB85758F158A2DE8588B754E330E504CBD2
    Function 6C8013E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: c1ce523fb157319a932d385b9939cfe96b2f38e7a6ab0fa24d8b97fdeca5fe79
    • Instruction ID: 2a0e2edae89fd4c05a5ca14758c4f98a9169ca56d416ad675d041d73ea6f406d
    • Opcode Fuzzy Hash: c1ce523fb157319a932d385b9939cfe96b2f38e7a6ab0fa24d8b97fdeca5fe79
    • Instruction Fuzzy Hash: 920152B2A093048BDB207F799B0635EBFF8AB42659F41492DE48587650D7309418CBD3
    Function 6C894AF0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: e7e85e59674a50a4802eb692cf89397c63799e5b40a2abb7d6a7ef0ba956e4ae
    • Instruction ID: 8f56d1dc67db92a3a04d87446aaf93452479e21abe1e85f60be78fabe2507886
    • Opcode Fuzzy Hash: e7e85e59674a50a4802eb692cf89397c63799e5b40a2abb7d6a7ef0ba956e4ae
    • Instruction Fuzzy Hash: C151AC766083158FD7109F2DD5802AAB7E5FBC8308F158D3EE9A8C7600E775D949CB92
    Function 6C896060 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 6C89606F
    • fwrite.MSVCRT ref: 6C8960BD
    • abort.MSVCRT ref: 6C8960C2
    • free.MSVCRT ref: 6C8960E5
      • Part of subcall function 6C895FB0: _beginthread.MSVCRT ref: 6C895FD6
      • Part of subcall function 6C895FB0: _errno.MSVCRT ref: 6C895FE1
      • Part of subcall function 6C895FB0: _errno.MSVCRT ref: 6C895FE8
      • Part of subcall function 6C895FB0: fprintf.MSVCRT ref: 6C896008
      • Part of subcall function 6C895FB0: abort.MSVCRT ref: 6C89600D
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
    • String ID: +$runtime/cgo: out of memory in thread_start
    • API String ID: 2633710936-1802439445
    • Opcode ID: b03aa9acd126e76ce1ab7d2a451c190fa4e074954167796917ca5db0de19b9b9
    • Instruction ID: 969ec2f91cbbf58913b4737f05324f14521e9a7e63a2b641400a86ceaf35595f
    • Opcode Fuzzy Hash: b03aa9acd126e76ce1ab7d2a451c190fa4e074954167796917ca5db0de19b9b9
    • Instruction Fuzzy Hash: 0C21E3B5508700CFD710AF2DC68595ABBF4FF89304F5589ADE9888B726D339A844CB92
    Function 6C895CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6C895CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C895D89), ref: 6C895CEB
    • fwrite.MSVCRT ref: 6C895D20
    • abort.MSVCRT ref: 6C895D25
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6C895D19
    • =, xrefs: 6C895D05
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: 09fb98b36f138a99851a52904eccf7db395d627fdcfbef51021433e3682b784e
    • Instruction ID: 294d4aac758d9ea215507dbf9bdcaa155f8634ea97e271dd77574ceba088836f
    • Opcode Fuzzy Hash: 09fb98b36f138a99851a52904eccf7db395d627fdcfbef51021433e3682b784e
    • Instruction Fuzzy Hash: 4DF0ECB15083019FEB00BF69C60932EBBF0BB41309F91896DE89987690D7798148CF93
    Function 6C801020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6C8012E0,?,?,?,?,?,?,6C8013A3), ref: 6C801057
    • _amsg_exit.MSVCRT ref: 6C801085
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: 843b0ce9db73910458baba76c381a182dc68626af6231660976b08011c204f20
    • Instruction ID: ec0a885b07fcb0b875b3c61ff352132107a33500b0aed85bfe177aeb19b78c80
    • Opcode Fuzzy Hash: 843b0ce9db73910458baba76c381a182dc68626af6231660976b08011c204f20
    • Instruction Fuzzy Hash: 2441857170D244CBFB10AF6EDA81756B7F0EB4675CF60492EE58487A41D735C484CB92
    Function 6C89655C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32 ref: 6C89652D
    • VirtualProtect.KERNEL32 ref: 6C896587
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C945388), ref: 6C896594
      • Part of subcall function 6C897220: fwrite.MSVCRT ref: 6C89724F
      • Part of subcall function 6C897220: vfprintf.MSVCRT ref: 6C89726F
      • Part of subcall function 6C897220: abort.MSVCRT ref: 6C897274
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$@
    • API String ID: 1616349570-2953866262
    • Opcode ID: 51d65f14199bdad1b40b2e212b8081eae70c835f69e18a12d1eaaa2fc22ea613
    • Instruction ID: 985900e4947b552784fdf272b07a2d4bac30a626246530ad12c4a228a5e3e3a4
    • Opcode Fuzzy Hash: 51d65f14199bdad1b40b2e212b8081eae70c835f69e18a12d1eaaa2fc22ea613
    • Instruction Fuzzy Hash: 572128B29093018FEB50EF69C584659FBF0FF85318F558A2DE998C7664E330D5048B92
    Function 6C895B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessagefprintf
    • String ID: Erro: %s
    • API String ID: 659079672-2412703935
    • Opcode ID: ee06cfe2e64340efa203b5e8e946e87879eea30af4262a2933f66bee31d50de4
    • Instruction ID: 550a59ee7931a9cff1ee02f28669949ec2e198d5b75ba6df609f5a427dea3385
    • Opcode Fuzzy Hash: ee06cfe2e64340efa203b5e8e946e87879eea30af4262a2933f66bee31d50de4
    • Instruction Fuzzy Hash: 440192B05083019FE700AF69C58971ABBF0BB88349F10891DE99896290D77582498F93
    Function 6C894D00 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6C894D5F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6C895BEF), ref: 6C894D9A
    • malloc.MSVCRT ref: 6C894DC8
    • qsort.MSVCRT ref: 6C894E16
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: b3ecbfddc353509af73f9919eff7633f9ec20cc8256ce60dd44e291655c7224c
    • Instruction ID: 36ea5b91d0cdb84e2b66f03d6a8e128c5bd2d2762b32f4d7469f3c05e0d87373
    • Opcode Fuzzy Hash: b3ecbfddc353509af73f9919eff7633f9ec20cc8256ce60dd44e291655c7224c
    • Instruction Fuzzy Hash: E64126796093018BD720DF2AD58061AB7E1FFC8319F158D2DE89987B64E774E848CB92
    Function 6C895850 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: 23c8b66a4b369a781786a277657499af1196537ece8de95b67dc82d162386022
    • Instruction ID: 20c215f46e11c3415d20141d93ed867d297cad144f77c6387e7142b17386cacd
    • Opcode Fuzzy Hash: 23c8b66a4b369a781786a277657499af1196537ece8de95b67dc82d162386022
    • Instruction Fuzzy Hash: 1C219830608304CBD710AB3DD944657B7F5AF85319F158E28D4A9CB280EB35E809CB52
    Function 6C8970C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: 9c7da98b22b4513d1ef67780f8d634977d2498ef46888cc63c9a621e6e902bf3
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: 40112B70209201CFE7609F6CCA8075ABBE4FF85354F148E69E498CBB85EB74D844CB62
    Function 6C896250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6C896289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C8013B9), ref: 6C89629A
    • GetCurrentThreadId.KERNEL32 ref: 6C8962A2
    • GetTickCount.KERNEL32 ref: 6C8962AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C8013B9), ref: 6C8962B9
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: a62cd0e500bc24813d1885a29c9b51c61d0b8ceb882c08c7a26d63f2e2263a00
    • Instruction ID: 093f8aed943fadfc58f71641ecc92d5f953190fb93a281d72d0d55e5173b24f2
    • Opcode Fuzzy Hash: a62cd0e500bc24813d1885a29c9b51c61d0b8ceb882c08c7a26d63f2e2263a00
    • Instruction Fuzzy Hash: FC1148B5A093408BDB10DF79E98865BBBF5FB89668F150D3EE444C6740EA31D8488BD3
    Function 6C895DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6C895E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C8945D9), ref: 6C895E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C8945D9), ref: 6C895E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C8945D9), ref: 6C895E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6C8945D9), ref: 6C895E50
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: e60cd6ab3d87ecf5e24f570cbda66b76b40d5b8a482fb7c65ff5f62c84381d6b
    • Instruction ID: 9e0e44f49ab85713d4544c24ddab36a919b059bbd00d427e4f6025b42c135629
    • Opcode Fuzzy Hash: e60cd6ab3d87ecf5e24f570cbda66b76b40d5b8a482fb7c65ff5f62c84381d6b
    • Instruction Fuzzy Hash: 84011671508344CFEF10BFBE998591EBBB4BF46214F51092EE89447A90D7329469CB93
    Function 6C897220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6C897248
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: c8a3a8d545d61efb2cb1a31792d1f2de38c6db844c8b56ba1fa71bed912f740c
    • Instruction ID: 58b1a55eb27d9293553b53b25ec669ff8992c1a315bf3de55adf6080fe6ba3fb
    • Opcode Fuzzy Hash: c8a3a8d545d61efb2cb1a31792d1f2de38c6db844c8b56ba1fa71bed912f740c
    • Instruction Fuzzy Hash: BEE0C2B00083049ED320AFACC68529EBAE4BF85348F41CD2CE0C947B51D77884888F53
    Function 6C8965F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C8012A5), ref: 6C896709
    Strings
    • Unknown pseudo relocation bit size %d., xrefs: 6C896799
    • Unknown pseudo relocation protocol version %d., xrefs: 6C896864
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: 9b4c04af02550a554af533dadf3082de1b82ed4da9ed2b5a753e1a513e1ccb87
    • Instruction ID: 408a0eb28f660131fd4cc7b1b2228fede79ddbcaced2652fcb698f9fe55d2732
    • Opcode Fuzzy Hash: 9b4c04af02550a554af533dadf3082de1b82ed4da9ed2b5a753e1a513e1ccb87
    • Instruction Fuzzy Hash: 7261AD71B04209CFCB64DFADC6C0659B7B2FB85318F248A29E819EBB45D370E8058BD1
    Function 6C895BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: bsearchfprintffwrite
    • String ID: $
    • API String ID: 1110293247-3993045852
    • Opcode ID: 671de7441721ea5a7180e657779b0c5eebdd3f18fbec9ef0990226c6d5f20151
    • Instruction ID: eb590a76bba1be9b1399287b427090a050195212781b240ecaca653f915f7175
    • Opcode Fuzzy Hash: 671de7441721ea5a7180e657779b0c5eebdd3f18fbec9ef0990226c6d5f20151
    • Instruction Fuzzy Hash: 420105B54093009BD710AF2C964925EBBE0AF89318F458E2EE88897701E7748444CB93
    Function 6C894E50 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: 669fbd783a0788250c28102908d94c5e6c9c3d9a199c6b406c32978e6df55968
    • Instruction ID: cac3ae2d8f41352b58842c2691d627c6bc7b7d37479eae756acb1baa3f640c6d
    • Opcode Fuzzy Hash: 669fbd783a0788250c28102908d94c5e6c9c3d9a199c6b406c32978e6df55968
    • Instruction Fuzzy Hash: 8E2103B56092008BDB10DF29C6C471ABBE1BFC4318F15C96CE8998B709D734D848CB82
    Function 6C896870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.1539170031.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 0000000D.00000002.1539152041.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539285553.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539302402.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539321333.000000006C89A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539337079.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539410620.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539446290.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539554618.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539585354.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539601850.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1539634800.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 9e323c5d8294ecad2cffcdf1d8c434f5c792056a87ddb769adccfa347800ddbe
    • Instruction ID: a605657ad1e0ff753ee106315e6ba7f37a371e862bd92b6987c3311ac0d81f7d
    • Opcode Fuzzy Hash: 9e323c5d8294ecad2cffcdf1d8c434f5c792056a87ddb769adccfa347800ddbe
    • Instruction Fuzzy Hash: 5FF0A472A043548FEF107F7EC98992A7BB4EB45654B15092CED4497644E730E518CBE3

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:11
    Total number of Limit Nodes:1
    execution_graph 52778 6c86cea0 52779 6c86cec8 VirtualAlloc 52778->52779 52780 6c86ceb9 52778->52780 52780->52779 52781 6c895fb0 52782 6c895fc7 _beginthread 52781->52782 52783 6c895fe1 _errno 52782->52783 52784 6c896012 52782->52784 52785 6c895fe8 _errno 52783->52785 52786 6c896020 Sleep 52783->52786 52788 6c895ff9 fprintf abort 52785->52788 52786->52782 52787 6c896034 52786->52787 52787->52785 52788->52784

    Executed Functions

    Function 6C895FB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6C895FF9
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabortfprintf
    • String ID: runtime: failed to create new OS thread (%d)
    • API String ID: 1261927973-3231778263
    • Opcode ID: 5241c19633d51a8d0119aa7449a16e02b2cb7223a942d498dc31b4732d341b4b
    • Instruction ID: 974a3aa711ac0b116e07a154ac00f9851ac6325537b0664bf1d13a712d446085
    • Opcode Fuzzy Hash: 5241c19633d51a8d0119aa7449a16e02b2cb7223a942d498dc31b4732d341b4b
    • Instruction Fuzzy Hash: 8C01ADB05083049FC7107F6ECA8852EBFB4EF86328F154A2DE58983790C7309444DBA3
    Function 6C86CEA0 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 6c86cea0-6c86ceb7 9 6c86cec8-6c86cee0 VirtualAlloc 8->9 10 6c86ceb9-6c86cec6 8->10 10->9
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: 891e36ee6d208984a47cfe19bfca10d92e8427e1f30c6a64f302852d6305fe68
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: CAE0E571505600CFCB15DF18C2C1306BBF1EB48A00F0489A8DE098FB4AD734ED10CB92

    Non-executed Functions

    Function 6C896300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6C89634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6C89635F
    • GetCurrentProcess.KERNEL32 ref: 6C896368
    • TerminateProcess.KERNEL32 ref: 6C896379
    • abort.MSVCRT ref: 6C896382
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: ae7ff02eba500b234258883210d4f7b574844f0b043d706d3a27606a3b19dc56
    • Instruction ID: 9d03cfd7d024f035ff98fe87e72044de79d06952399875c08a76830d8a628204
    • Opcode Fuzzy Hash: ae7ff02eba500b234258883210d4f7b574844f0b043d706d3a27606a3b19dc56
    • Instruction Fuzzy Hash: C91116B5A08241DFEB00EF6EC64562ABBF0BB46344F20892DE848C7390E7349944CF92
    Function 6C8962FC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6C89634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6C89635F
    • GetCurrentProcess.KERNEL32 ref: 6C896368
    • TerminateProcess.KERNEL32 ref: 6C896379
    • abort.MSVCRT ref: 6C896382
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: b7c6adccdd5018c990277fa64303b3fe49f9e6593e0f93f36835c67a392e11e3
    • Instruction ID: a5d6c57455501953f8df2e89f9c95ad8d4a36863fbc7c614cd39677fc726ad37
    • Opcode Fuzzy Hash: b7c6adccdd5018c990277fa64303b3fe49f9e6593e0f93f36835c67a392e11e3
    • Instruction Fuzzy Hash: 0911F3B5A09241DFEB00EF7EC6496297BF0BB06305F20892DE94897380E7749904CF92
    Function 6C895E79 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • ;, xrefs: 6C895F18
    • unexpected cgo_bindm on Windows, xrefs: 6C895EA4
    • runtime: failed to signal runtime initialization complete., xrefs: 6C895F2C
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabortfwrite$Event
    • String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
    • API String ID: 3057923235-924395932
    • Opcode ID: 3f6a105a60e6c1709b15534c799a660a68baa31c0ac505cace2f2b8f9b9cacd8
    • Instruction ID: 8077fed6874654092953285003ff13d4e8c4e58b7a4056b64f8be7e26afbf5d2
    • Opcode Fuzzy Hash: 3f6a105a60e6c1709b15534c799a660a68baa31c0ac505cace2f2b8f9b9cacd8
    • Instruction Fuzzy Hash: 3C11B8B1508340DFEB10BFBDC50A66EBFB0BB41304F51896DE88547A91D7769158CB93
    Function 6C8964A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • Address %p has no image-section, xrefs: 6C8965DB
    • VirtualProtect failed with code 0x%x, xrefs: 6C89659A
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6C8965C7
    • @, xrefs: 6C896578
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 2ca2133f5b8c3f225fd37d709783dc3119b1f2360bcba39a5d9f1cb780b46f59
    • Instruction ID: ed53dc536917cd419435581be066b8a08a38139a712ea460590ebdd5fbc247da
    • Opcode Fuzzy Hash: 2ca2133f5b8c3f225fd37d709783dc3119b1f2360bcba39a5d9f1cb780b46f59
    • Instruction Fuzzy Hash: CE418BB2A093018BDB50EF6AD58465AFBF0FB85758F158A2DE8588B754E330E504CBD2
    Function 6C8013E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: c1ce523fb157319a932d385b9939cfe96b2f38e7a6ab0fa24d8b97fdeca5fe79
    • Instruction ID: 2a0e2edae89fd4c05a5ca14758c4f98a9169ca56d416ad675d041d73ea6f406d
    • Opcode Fuzzy Hash: c1ce523fb157319a932d385b9939cfe96b2f38e7a6ab0fa24d8b97fdeca5fe79
    • Instruction Fuzzy Hash: 920152B2A093048BDB207F799B0635EBFF8AB42659F41492DE48587650D7309418CBD3
    Function 6C894AF0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: e7e85e59674a50a4802eb692cf89397c63799e5b40a2abb7d6a7ef0ba956e4ae
    • Instruction ID: 8f56d1dc67db92a3a04d87446aaf93452479e21abe1e85f60be78fabe2507886
    • Opcode Fuzzy Hash: e7e85e59674a50a4802eb692cf89397c63799e5b40a2abb7d6a7ef0ba956e4ae
    • Instruction Fuzzy Hash: C151AC766083158FD7109F2DD5802AAB7E5FBC8308F158D3EE9A8C7600E775D949CB92
    Function 6C896060 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 6C89606F
    • fwrite.MSVCRT ref: 6C8960BD
    • abort.MSVCRT ref: 6C8960C2
    • free.MSVCRT ref: 6C8960E5
      • Part of subcall function 6C895FB0: _beginthread.MSVCRT ref: 6C895FD6
      • Part of subcall function 6C895FB0: _errno.MSVCRT ref: 6C895FE1
      • Part of subcall function 6C895FB0: _errno.MSVCRT ref: 6C895FE8
      • Part of subcall function 6C895FB0: fprintf.MSVCRT ref: 6C896008
      • Part of subcall function 6C895FB0: abort.MSVCRT ref: 6C89600D
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
    • String ID: +$runtime/cgo: out of memory in thread_start
    • API String ID: 2633710936-1802439445
    • Opcode ID: b03aa9acd126e76ce1ab7d2a451c190fa4e074954167796917ca5db0de19b9b9
    • Instruction ID: 969ec2f91cbbf58913b4737f05324f14521e9a7e63a2b641400a86ceaf35595f
    • Opcode Fuzzy Hash: b03aa9acd126e76ce1ab7d2a451c190fa4e074954167796917ca5db0de19b9b9
    • Instruction Fuzzy Hash: 0C21E3B5508700CFD710AF2DC68595ABBF4FF89304F5589ADE9888B726D339A844CB92
    Function 6C895CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6C895CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C895D89), ref: 6C895CEB
    • fwrite.MSVCRT ref: 6C895D20
    • abort.MSVCRT ref: 6C895D25
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6C895D19
    • =, xrefs: 6C895D05
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: 09fb98b36f138a99851a52904eccf7db395d627fdcfbef51021433e3682b784e
    • Instruction ID: 294d4aac758d9ea215507dbf9bdcaa155f8634ea97e271dd77574ceba088836f
    • Opcode Fuzzy Hash: 09fb98b36f138a99851a52904eccf7db395d627fdcfbef51021433e3682b784e
    • Instruction Fuzzy Hash: 4DF0ECB15083019FEB00BF69C60932EBBF0BB41309F91896DE89987690D7798148CF93
    Function 6C801020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6C8012E0,?,?,?,?,?,?,6C8013A3), ref: 6C801057
    • _amsg_exit.MSVCRT ref: 6C801085
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: 843b0ce9db73910458baba76c381a182dc68626af6231660976b08011c204f20
    • Instruction ID: ec0a885b07fcb0b875b3c61ff352132107a33500b0aed85bfe177aeb19b78c80
    • Opcode Fuzzy Hash: 843b0ce9db73910458baba76c381a182dc68626af6231660976b08011c204f20
    • Instruction Fuzzy Hash: 2441857170D244CBFB10AF6EDA81756B7F0EB4675CF60492EE58487A41D735C484CB92
    Function 6C89655C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32 ref: 6C89652D
    • VirtualProtect.KERNEL32 ref: 6C896587
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C945388), ref: 6C896594
      • Part of subcall function 6C897220: fwrite.MSVCRT ref: 6C89724F
      • Part of subcall function 6C897220: vfprintf.MSVCRT ref: 6C89726F
      • Part of subcall function 6C897220: abort.MSVCRT ref: 6C897274
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$@
    • API String ID: 1616349570-2953866262
    • Opcode ID: 51d65f14199bdad1b40b2e212b8081eae70c835f69e18a12d1eaaa2fc22ea613
    • Instruction ID: 985900e4947b552784fdf272b07a2d4bac30a626246530ad12c4a228a5e3e3a4
    • Opcode Fuzzy Hash: 51d65f14199bdad1b40b2e212b8081eae70c835f69e18a12d1eaaa2fc22ea613
    • Instruction Fuzzy Hash: 572128B29093018FEB50EF69C584659FBF0FF85318F558A2DE998C7664E330D5048B92
    Function 6C895B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessagefprintf
    • String ID: Erro: %s
    • API String ID: 659079672-2412703935
    • Opcode ID: ee06cfe2e64340efa203b5e8e946e87879eea30af4262a2933f66bee31d50de4
    • Instruction ID: 550a59ee7931a9cff1ee02f28669949ec2e198d5b75ba6df609f5a427dea3385
    • Opcode Fuzzy Hash: ee06cfe2e64340efa203b5e8e946e87879eea30af4262a2933f66bee31d50de4
    • Instruction Fuzzy Hash: 440192B05083019FE700AF69C58971ABBF0BB88349F10891DE99896290D77582498F93
    Function 6C894D00 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6C894D5F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6C895BEF), ref: 6C894D9A
    • malloc.MSVCRT ref: 6C894DC8
    • qsort.MSVCRT ref: 6C894E16
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: b3ecbfddc353509af73f9919eff7633f9ec20cc8256ce60dd44e291655c7224c
    • Instruction ID: 36ea5b91d0cdb84e2b66f03d6a8e128c5bd2d2762b32f4d7469f3c05e0d87373
    • Opcode Fuzzy Hash: b3ecbfddc353509af73f9919eff7633f9ec20cc8256ce60dd44e291655c7224c
    • Instruction Fuzzy Hash: E64126796093018BD720DF2AD58061AB7E1FFC8319F158D2DE89987B64E774E848CB92
    Function 6C895850 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: 23c8b66a4b369a781786a277657499af1196537ece8de95b67dc82d162386022
    • Instruction ID: 20c215f46e11c3415d20141d93ed867d297cad144f77c6387e7142b17386cacd
    • Opcode Fuzzy Hash: 23c8b66a4b369a781786a277657499af1196537ece8de95b67dc82d162386022
    • Instruction Fuzzy Hash: 1C219830608304CBD710AB3DD944657B7F5AF85319F158E28D4A9CB280EB35E809CB52
    Function 6C8970C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: 9c7da98b22b4513d1ef67780f8d634977d2498ef46888cc63c9a621e6e902bf3
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: 40112B70209201CFE7609F6CCA8075ABBE4FF85354F148E69E498CBB85EB74D844CB62
    Function 6C896250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6C896289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C8013B9), ref: 6C89629A
    • GetCurrentThreadId.KERNEL32 ref: 6C8962A2
    • GetTickCount.KERNEL32 ref: 6C8962AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C8013B9), ref: 6C8962B9
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: a62cd0e500bc24813d1885a29c9b51c61d0b8ceb882c08c7a26d63f2e2263a00
    • Instruction ID: 093f8aed943fadfc58f71641ecc92d5f953190fb93a281d72d0d55e5173b24f2
    • Opcode Fuzzy Hash: a62cd0e500bc24813d1885a29c9b51c61d0b8ceb882c08c7a26d63f2e2263a00
    • Instruction Fuzzy Hash: FC1148B5A093408BDB10DF79E98865BBBF5FB89668F150D3EE444C6740EA31D8488BD3
    Function 6C895DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6C895E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C8945D9), ref: 6C895E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C8945D9), ref: 6C895E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C8945D9), ref: 6C895E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6C8945D9), ref: 6C895E50
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: e60cd6ab3d87ecf5e24f570cbda66b76b40d5b8a482fb7c65ff5f62c84381d6b
    • Instruction ID: 9e0e44f49ab85713d4544c24ddab36a919b059bbd00d427e4f6025b42c135629
    • Opcode Fuzzy Hash: e60cd6ab3d87ecf5e24f570cbda66b76b40d5b8a482fb7c65ff5f62c84381d6b
    • Instruction Fuzzy Hash: 84011671508344CFEF10BFBE998591EBBB4BF46214F51092EE89447A90D7329469CB93
    Function 6C897220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6C897248
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: c8a3a8d545d61efb2cb1a31792d1f2de38c6db844c8b56ba1fa71bed912f740c
    • Instruction ID: 58b1a55eb27d9293553b53b25ec669ff8992c1a315bf3de55adf6080fe6ba3fb
    • Opcode Fuzzy Hash: c8a3a8d545d61efb2cb1a31792d1f2de38c6db844c8b56ba1fa71bed912f740c
    • Instruction Fuzzy Hash: BEE0C2B00083049ED320AFACC68529EBAE4BF85348F41CD2CE0C947B51D77884888F53
    Function 6C8965F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C8012A5), ref: 6C896709
    Strings
    • Unknown pseudo relocation protocol version %d., xrefs: 6C896864
    • Unknown pseudo relocation bit size %d., xrefs: 6C896799
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: 9b4c04af02550a554af533dadf3082de1b82ed4da9ed2b5a753e1a513e1ccb87
    • Instruction ID: 408a0eb28f660131fd4cc7b1b2228fede79ddbcaced2652fcb698f9fe55d2732
    • Opcode Fuzzy Hash: 9b4c04af02550a554af533dadf3082de1b82ed4da9ed2b5a753e1a513e1ccb87
    • Instruction Fuzzy Hash: 7261AD71B04209CFCB64DFADC6C0659B7B2FB85318F248A29E819EBB45D370E8058BD1
    Function 6C895BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: bsearchfprintffwrite
    • String ID: $
    • API String ID: 1110293247-3993045852
    • Opcode ID: 671de7441721ea5a7180e657779b0c5eebdd3f18fbec9ef0990226c6d5f20151
    • Instruction ID: eb590a76bba1be9b1399287b427090a050195212781b240ecaca653f915f7175
    • Opcode Fuzzy Hash: 671de7441721ea5a7180e657779b0c5eebdd3f18fbec9ef0990226c6d5f20151
    • Instruction Fuzzy Hash: 420105B54093009BD710AF2C964925EBBE0AF89318F458E2EE88897701E7748444CB93
    Function 6C894E50 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: 669fbd783a0788250c28102908d94c5e6c9c3d9a199c6b406c32978e6df55968
    • Instruction ID: cac3ae2d8f41352b58842c2691d627c6bc7b7d37479eae756acb1baa3f640c6d
    • Opcode Fuzzy Hash: 669fbd783a0788250c28102908d94c5e6c9c3d9a199c6b406c32978e6df55968
    • Instruction Fuzzy Hash: 8E2103B56092008BDB10DF29C6C471ABBE1BFC4318F15C96CE8998B709D734D848CB82
    Function 6C896870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.1541719441.000000006C801000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C800000, based on PE: true
    • Associated: 00000011.00000002.1541621999.000000006C800000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542061913.000000006C898000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542199384.000000006C899000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542342895.000000006C89D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1542565157.000000006C89F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543046161.000000006C948000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C94E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543198168.000000006C953000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543516513.000000006C966000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543662064.000000006C96D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543818833.000000006C96E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1543964443.000000006C971000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c800000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 9e323c5d8294ecad2cffcdf1d8c434f5c792056a87ddb769adccfa347800ddbe
    • Instruction ID: a605657ad1e0ff753ee106315e6ba7f37a371e862bd92b6987c3311ac0d81f7d
    • Opcode Fuzzy Hash: 9e323c5d8294ecad2cffcdf1d8c434f5c792056a87ddb769adccfa347800ddbe
    • Instruction Fuzzy Hash: 5FF0A472A043548FEF107F7EC98992A7BB4EB45654B15092CED4497644E730E518CBE3