Edit tour

Windows Analysis Report
2YsKFOeUhM.dll

Overview

General Information

Sample name:	2YsKFOeUhM.dll renamed because original name is a hash value
Original sample name:	2ff3f2639e73e8bba2a321faad0e785412f8b45a204133912e8f341c2e8bbd1b.dll
Analysis ID:	1544798
MD5:	668c2aaf5ef19c034137885d4aa4e45a
SHA1:	3a8283170d3f6cdbd89f944e3b0fb533c754cb60
SHA256:	2ff3f2639e73e8bba2a321faad0e785412f8b45a204133912e8f341c2e8bbd1b
Tags:	2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7000 cmdline: loaddll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7052 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7076 cmdline: rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 6444 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 832 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7060 cmdline: rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 6500 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 824 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 6024 cmdline: rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5516 cmdline: rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3028 cmdline: rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 5664 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 844 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 5636 cmdline: rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5692 cmdline: rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5644 cmdline: rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6724 cmdline: rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellSpell MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6924 cmdline: rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellInit MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6380 cmdline: rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellFree MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6524 cmdline: rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7080 cmdline: rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7108 cmdline: rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 88.5% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0514C0	3_2_6D0514C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD014C0	14_2_6CD014C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD014C0	18_2_6CD014C0

Source: 2YsKFOeUhM.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: 2YsKFOeUhM.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	3_2_6D049DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	3_2_6D03CB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	3_2_6D048A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	3_2_6D023000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	14_2_6CCF9DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	14_2_6CCF8A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	14_2_6CCECB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	14_2_6CCD3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	18_2_6CCF9DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	18_2_6CCF8A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	18_2_6CCECB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	18_2_6CCD3000

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04AD00	3_2_6D04AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D037DD0	3_2_6D037DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D077FB0	3_2_6D077FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D096FB0	3_2_6D096FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D048E10	3_2_6D048E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D05CE40	3_2_6D05CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D02BE4F	3_2_6D02BE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D092940	3_2_6D092940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D035820	3_2_6D035820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D030830	3_2_6D030830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0A1A00	3_2_6D0A1A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D02CA60	3_2_6D02CA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04CA70	3_2_6D04CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04BAB0	3_2_6D04BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04D525	3_2_6D04D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04B540	3_2_6D04B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D095590	3_2_6D095590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04C460	3_2_6D04C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D097490	3_2_6D097490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0A3710	3_2_6D0A3710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D07F732	3_2_6D07F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D066730	3_2_6D066730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04A790	3_2_6D04A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D023620	3_2_6D023620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0A1640	3_2_6D0A1640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04C100	3_2_6D04C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D095100	3_2_6D095100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0461A0	3_2_6D0461A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D023000	3_2_6D023000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D05E040	3_2_6D05E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D056040	3_2_6D056040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D043090	3_2_6D043090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0410D0	3_2_6D0410D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D096240	3_2_6D096240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0292E0	3_2_6D0292E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCE7DD0	14_2_6CCE7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFAD00	14_2_6CCFAD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCDBE4F	14_2_6CCDBE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD0CE40	14_2_6CD0CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCF8E10	14_2_6CCF8E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD27FB0	14_2_6CD27FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD46FB0	14_2_6CD46FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCE5820	14_2_6CCE5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCE0830	14_2_6CCE0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD42940	14_2_6CD42940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFBAB0	14_2_6CCFBAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCDCA60	14_2_6CCDCA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFCA70	14_2_6CCFCA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD51A00	14_2_6CD51A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD47490	14_2_6CD47490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFC460	14_2_6CCFC460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD45590	14_2_6CD45590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFB540	14_2_6CCFB540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFD525	14_2_6CCFD525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD51640	14_2_6CD51640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCD3620	14_2_6CCD3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFA790	14_2_6CCFA790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD53710	14_2_6CD53710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD2F732	14_2_6CD2F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD16730	14_2_6CD16730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCF10D0	14_2_6CCF10D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCF3090	14_2_6CCF3090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD0E040	14_2_6CD0E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD06040	14_2_6CD06040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCD3000	14_2_6CCD3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCF61A0	14_2_6CCF61A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCFC100	14_2_6CCFC100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD45100	14_2_6CD45100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CCD92E0	14_2_6CCD92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD46240	14_2_6CD46240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCE7DD0	18_2_6CCE7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFAD00	18_2_6CCFAD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCDBE4F	18_2_6CCDBE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD0CE40	18_2_6CD0CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCF8E10	18_2_6CCF8E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD27FB0	18_2_6CD27FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD46FB0	18_2_6CD46FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCE5820	18_2_6CCE5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCE0830	18_2_6CCE0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD42940	18_2_6CD42940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFBAB0	18_2_6CCFBAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCDCA60	18_2_6CCDCA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFCA70	18_2_6CCFCA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD51A00	18_2_6CD51A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD47490	18_2_6CD47490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFC460	18_2_6CCFC460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD45590	18_2_6CD45590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFB540	18_2_6CCFB540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFD525	18_2_6CCFD525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD51640	18_2_6CD51640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCD3620	18_2_6CCD3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFA790	18_2_6CCFA790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD53710	18_2_6CD53710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD2F732	18_2_6CD2F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD16730	18_2_6CD16730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCF10D0	18_2_6CCF10D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCF3090	18_2_6CCF3090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD0E040	18_2_6CD0E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD06040	18_2_6CD06040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCD3000	18_2_6CCD3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCF61A0	18_2_6CCF61A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCFC100	18_2_6CCFC100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD45100	18_2_6CD45100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CCD92E0	18_2_6CCD92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD46240	18_2_6CD46240

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CD07450 appears 1374 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CD04FD0 appears 922 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CCDF4D0 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D057450 appears 687 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CCD2F90 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D054FD0 appears 461 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CD03620 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CD050A0 appears 38 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 832

Source: 2YsKFOeUhM.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal48.mine.winDLL@35/0@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0A4310 GetLastError,FormatMessageA,fprintf,LocalFree,

3_2_6D0A4310

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\0f05acd2-3cfe-4909-8511-d04313a16448

Jump to behavior

Source: 2YsKFOeUhM.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarCreate

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 832
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 824
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 844
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellSpell	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellFree	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SignalInitializeCrashReporting	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",GetInstallDetailsPayload	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarRecognize	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: 2YsKFOeUhM.dll

Static PE information: Image base 0x6d8c0000 > 0x60000000

Source: 2YsKFOeUhM.dll

Static file information: File size 1198080 > 1048576

Source: 2YsKFOeUhM.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0213E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6D0213E0

Source: 2YsKFOeUhM.dll

Static PE information: real checksum: 0x12c967 should be: 0x126f74

Source: 2YsKFOeUhM.dll

Static PE information: section name: .eh_fram

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01C38F4F push es; ret	0_2_01C38F52
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01C38F3D push es; ret	0_2_01C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_04C38F4F push es; ret	12_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_04C3A496 push edi; iretd	12_2_04C3A497
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_04C38F3B push es; ret	12_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0490240D pushfd ; retf	15_2_0490242F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0503B9C6 push ebx; ret	20_2_0503B9C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0503B464 pushad ; ret	20_2_0503B472
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0503A929 pushfd ; ret	20_2_0503A93E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0508049D push cs; retf 0001h	20_2_0508049F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C38F4F push es; ret	21_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C38F3B push es; ret	21_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C80472 push cs; retf	21_2_04C80473
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0488043B push FFFFFFB0h; iretd	23_2_04880451
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04C38F4F push es; ret	24_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04C38F3B push es; ret	24_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_0503A468 push ss; ret	25_2_0503A472

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D080F80 rdtscp

3_2_6D080F80

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 00000016.00000002.2551732689.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: rundll32.exe, 00000014.00000002.2551108916.000000000334A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
Source: loaddll32.exe, 00000000.00000002.2554669122.000000000148D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2458220279.000000000332A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2457743003.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2483825116.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2514078062.000000000340A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2546999162.000000000080A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2550376519.00000000034F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.2552827855.0000000002FCA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 0000000E.00000002.2550564353.000000000320A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.2553651655.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
Source: rundll32.exe, 00000015.00000002.2550622139.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: rundll32.exe, 00000017.00000002.2552910448.000000000092A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~~

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D080F80 rdtscp

3_2_6D080F80

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0213E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6D0213E0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0A3710 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,memset,IsBadReadPtr,realloc,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,memcpy,SetLastError,SetLastError,SetLastError,SetLastError,

3_2_6D0A3710

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0A4ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6D0A4ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0A4AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6D0A4AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD54ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	14_2_6CD54ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6CD54AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	14_2_6CD54AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD54ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	18_2_6CD54ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_6CD54AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	18_2_6CD54AE0

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0A4A30 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_6D0A4A30

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Rundll32	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2YsKFOeUhM.dll	3%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544798
Start date and time:	2024-10-29 18:53:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2YsKFOeUhM.dll renamed because original name is a hash value
Original Sample Name:	2ff3f2639e73e8bba2a321faad0e785412f8b45a204133912e8f341c2e8bbd1b.dll
Detection:	MAL
Classification:	mal48.mine.winDLL@35/0@0/0
EGA Information:	Successful, ratio: 20%
HCA Information:	Successful, ratio: 55% Number of executed functions: 6 Number of non-executed functions: 103
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target loaddll32.exe, PID 7000 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 5516 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 5636 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 5692 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 6024 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 6380 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 6524 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 6724 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 6924 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 7076 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 7080 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 7108 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
VT rate limit hit for: 2YsKFOeUhM.dll

Simulations

Behavior and APIs

Time	Type	Description
13:54:34	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.272851647495425
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2YsKFOeUhM.dll
File size:	1'198'080 bytes
MD5:	668c2aaf5ef19c034137885d4aa4e45a
SHA1:	3a8283170d3f6cdbd89f944e3b0fb533c754cb60
SHA256:	2ff3f2639e73e8bba2a321faad0e785412f8b45a204133912e8f341c2e8bbd1b
SHA512:	d28f7dda62a7ab304087fff79489e150c3e8e3d406278f5ffb4d0fefd891ae9804b6e26e7b07683c8897081211fca637ad25c6398c75ed9146a4e155f3b5617b
SSDEEP:	24576:ZySa4QfLgHgFIdgasWheLSpDNk+DXJDqezpd3Sg:ZH90IDldCg
TLSH:	20452900FD8744F1E5072672A96B62AF3725AE054F319BC7FA54B679FB732E10832285
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....L...D...F...........`.....m................................g.....@... ......................@..-..

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x6d8c1380
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x6d8c0000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x6d944bc0, 0x6d944b70
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	a4a784e5029279463818b31167e8f38b

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [6DA23550h], 00000000h
mov edx, dword ptr [esp+24h]
cmp edx, 01h
je 00007F0838D4667Ch
mov ecx, dword ptr [esp+28h]
mov eax, dword ptr [esp+20h]
call 00007F0838D464E2h
add esp, 1Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
mov dword ptr [esp+0Ch], edx
call 00007F0838DC9CDCh
mov edx, dword ptr [esp+0Ch]
jmp 00007F0838D46639h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 6D9DF000h
mov dword ptr [esp+04h], eax
call 00007F0838DCAB3Eh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 6D94D000h
call dword ptr [6DA25224h]
sub esp, 04h
test eax, eax
je 00007F0838D466D5h
mov ebx, eax
mov dword ptr [esp], 6D94D000h
call dword ptr [6DA2526Ch]
mov edi, dword ptr [6DA2522Ch]
sub esp, 04h
mov dword ptr [6DA23584h], eax
mov dword ptr [esp+04h], 6D94D013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 6D94D029h
mov dword ptr [esp], ebx
call edi
mov dword ptr [6D946000h], eax
sub esp, 08h
test esi, esi
je 00007F0838D46673h
mov dword ptr [esp+00h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x164000	0x12d	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x165000	0xb94	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x168000	0x72d8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x11c650	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1651d0	0x194	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x84a98	0x84c00	44408de594db3e90a078e6c01ca737d0	False	0.4715472722457627	data	6.286209104347521	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x86000	0x60c8	0x6200	d5fb9a3cff8092d07ab471f7d78d00e7	False	0.42263233418367346	data	4.420817390336753	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x8d000	0x8fa20	0x8fc00	6f0af52223f71bcf159b56265023415a	False	0.4364436141304348	data	5.591695970002809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram	0x11d000	0x1274	0x1400	7e0c196a5297fcb1314a2ce26d210985	False	0.3359375	data	4.556527782531458	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x11f000	0x4459c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x164000	0x12d	0x200	413e4b4248816189509f7ffe80d08073	False	0.458984375	data	3.4189467598340144	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x165000	0xb94	0xc00	e1ea2a2551376701992ead81eecc63e4	False	0.3958333333333333	data	5.069558373921308	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x166000	0x2c	0x200	51289c22ed2d6bf0af49e9f6ae9824ce	False	0.0546875	data	0.2069200177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x167000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x168000	0x72d8	0x7400	0c84a8252fab6ae9ef0aac05f7906f8f	False	0.6951441271551724	data	6.638371858055151	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetLastError, GetModuleHandleA, GetNativeSystemInfo, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadLocale, GetTickCount, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, PostQueuedCompletionStatus, QueryPerformanceCounter, RaiseFailFastException, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TerminateProcess, TlsAlloc, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WriteConsoleW, WriteFile, lstrlenA

msvcrt.dll

_amsg_exit, _beginthread, _errno, _initterm, _iob, _lock, _unlock, _wcsnicmp, abort, bsearch, calloc, fprintf, free, fwrite, malloc, mbstowcs, memcpy, memset, qsort, realloc, strcmp, strlen, strncmp, strtol, vfprintf, wcstombs

Exports

Name	Ordinal	Address
BarCreate	1	0x6d942db0
BarDestroy	2	0x6d943030
BarFreeRec	3	0x6d942fe0
BarRecognize	4	0x6d942f90
GetInstallDetailsPayload	5	0x6d942ef0
SignalInitializeCrashReporting	6	0x6d942f40
SpellFree	7	0x6d942e00
SpellInit	8	0x6d942e50
SpellSpell	9	0x6d942ea0
_cgo_dummy_export	10	0x6da23588

Target ID:	0
Start time:	13:54:24
Start date:	29/10/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll"
Imagebase:	0x5e0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:54:25
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:54:25
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",#1
Imagebase:	0x1f0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:54:25
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarCreate
Imagebase:	0xf60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:54:25
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",#1
Imagebase:	0xf60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:54:25
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 832
Imagebase:	0x780000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:54:25
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 824
Imagebase:	0x780000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:54:28
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarDestroy
Imagebase:	0xf60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:54:31
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\2YsKFOeUhM.dll,BarFreeRec
Imagebase:	0xf60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:54:34
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarCreate
Imagebase:	0xf60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:54:34
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarDestroy
Imagebase:	0xf60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:54:34
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarFreeRec
Imagebase:	0xf60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	13:54:34
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",_cgo_dummy_export
Imagebase:	0xf60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:54:34
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 844
Imagebase:	0x780000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:54:34
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellSpell
Imagebase:	0xf60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	13:54:34
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellInit
Imagebase:	0xf60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	13:54:34
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SpellFree
Imagebase:	0xf60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:54:34
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",SignalInitializeCrashReporting
Imagebase:	0xf60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	13:54:34
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",GetInstallDetailsPayload
Imagebase:	0xf60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	13:54:34
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\2YsKFOeUhM.dll",BarRecognize
Imagebase:	0xf60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Executed Functions

Function 6D0A4790 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_beginthread.MSVCRT ref: 6D0A47B6
_errno.MSVCRT ref: 6D0A47C1
_errno.MSVCRT ref: 6D0A47C8
fprintf.MSVCRT ref: 6D0A47E8
abort.MSVCRT ref: 6D0A47ED
Sleep.KERNEL32 ref: 6D0A4806

Strings

runtime: failed to create new OS thread (%d), xrefs: 6D0A47D9

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: _errno$Sleep_beginthreadabortfprintf
String ID: runtime: failed to create new OS thread (%d)
API String ID: 1261927973-3231778263
Opcode ID: 2199fd043f7ab99972bfdb7887a70f8397bea39076de43f2004aa1ae02918330
Instruction ID: a2828d0409a9fc7295fa2801e8d40bc9c77fba05de5c041ad72250ba7ef1f41f
Opcode Fuzzy Hash: 2199fd043f7ab99972bfdb7887a70f8397bea39076de43f2004aa1ae02918330
Instruction Fuzzy Hash: 5A016278409310DFD700AFA4E88862EBBF4FF4A311F46451DE58957212DB719444DA63

Function 6D081D40 Relevance: 1.3, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 6D081D68

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction ID: 7d915628d0de4294ff6607a16af515403d8732046d4a43a270e42deaf5174700
Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction Fuzzy Hash: 7FE0C2719057008FDB15DF18C2C1316BBE1EB48A00F0485A8DE098B74AE734ED10CA92

Non-executed Functions

Function 6D0A3710 Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 564
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32 ref: 6D0A37CC
GetProcessHeap.KERNEL32 ref: 6D0A382D
HeapAlloc.KERNEL32 ref: 6D0A3846
memcpy.MSVCRT ref: 6D0A3912
memset.MSVCRT ref: 6D0A39A9
IsBadReadPtr.KERNEL32 ref: 6D0A3A0F
realloc.MSVCRT ref: 6D0A3A5E
SetLastError.KERNEL32 ref: 6D0A3B19
SetLastError.KERNEL32 ref: 6D0A3B39

Strings

?, xrefs: 6D0A371A
@, xrefs: 6D0A3833

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: ErrorHeapLast$AllocInfoNativeProcessReadSystemmemcpymemsetrealloc
String ID: ?$@
API String ID: 2257136212-1463999369
Opcode ID: 93e10fd16ff7f2553c138a82258c995f851b3efd1fac5e3406dd454f0824d901
Instruction ID: 33fbf6d18721f50e4b7420a7301f16ab75544c3dc1b23bed34acf141a038c4a1
Opcode Fuzzy Hash: 93e10fd16ff7f2553c138a82258c995f851b3efd1fac5e3406dd454f0824d901
Instruction Fuzzy Hash: A742F4B46087029FE710DFA9C58476AFBF1BF88354F49892DE99987341E774E844CB82

Function 6D035820 Relevance: 19.8, Strings: 15, Instructions: 1007
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= , xrefs: 6D0358EA
non-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - d, xrefs: 6D036A63
/]+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT, xrefs: 6D036595
failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 6D036A79
gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintmapbindfile, xrefs: 6D036109
, xrefs: 6D035ED9
gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foun, xrefs: 6D036A8F
@s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-0, xrefs: 6D036136
5, xrefs: 6D036A6C
ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32, xrefs: 6D03635B
MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException , xrefs: 6D0367E1
MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 6D03684B
+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+1, xrefs: 6D036313, 6D0365D0
., xrefs: 6D03606D
ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm, xrefs: 6D036721

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID: $ @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-0$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException $ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm$+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+1$.$/]+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT$5$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintmapbindfile$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foun$gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= $non-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - d
API String ID: 0-4142148823
Opcode ID: d9cd5dc2e92d322f5a3045a2965448f3356b55bd6130ce4e64b5f4146a9406f2
Instruction ID: 69d2613bb55459ab0441a1c9ffced1bb54772b21cf59486e61aea320417be5e2
Opcode Fuzzy Hash: d9cd5dc2e92d322f5a3045a2965448f3356b55bd6130ce4e64b5f4146a9406f2
Instruction Fuzzy Hash: 39B2E5B860D345CFE724DF28D190B9ABBF5FB8A304F42892ED99987351D7709844CB92

Function 6D048E10 Relevance: 16.9, Strings: 13, Instructions: 645
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CET, xrefs: 6D0490DA, 6D049523
runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 6D04971E
] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep, xrefs: 6D049550
bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D0491D8, 6D04999E
, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64TuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptrgraviolano anodeCancelIoReadFileAcceptExWSAIoctlshutdownnil Poolscaveng, xrefs: 6D04963A
] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc, xrefs: 6D049103
runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard , xrefs: 6D049691
, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structCommonLazyDogCopySidWSARecvWSASendconnectconsole\\.\UNCforcegcallocmWcpupr, xrefs: 6D0496BE
runtime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQueryServiceStatusGetCompu, xrefs: 6D0491A1
, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:, xrefs: 6D04974B
runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D0490B0, 6D0494E9
, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by ProcessPrngMoveFileExWNetShar, xrefs: 6D04960D
, [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+1, xrefs: 6D04912D, 6D049157, 6D04957A, 6D0495A4

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID: , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+1$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structCommonLazyDogCopySidWSARecvWSASendconnectconsole\\.\UNCforcegcallocmWcpupr$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64TuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptrgraviolano anodeCancelIoReadFileAcceptExWSAIoctlshutdownnil Poolscaveng$, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:$, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by ProcessPrngMoveFileExWNetShar$] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep$] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc$][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CET$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$runtime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQueryServiceStatusGetCompu$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-803775704
Opcode ID: e6834072342770f72f4ec63956fbffa48cc4d88a1f2dd40812cae6c8f7f4e840
Instruction ID: 6c4f543fa42705de78799b769b8e928e17c04ee26786db114563f26702653838
Opcode Fuzzy Hash: e6834072342770f72f4ec63956fbffa48cc4d88a1f2dd40812cae6c8f7f4e840
Instruction Fuzzy Hash: 0D522675A09744CFE724DF68C680B6EB7E1BFC9304F41892DEA9887341D774A845CB82

Function 6D043090 Relevance: 14.6, Strings: 11, Instructions: 823COMMON

Download Yara Rule

Strings

previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 6D043A68
, xrefs: 6D043ACF
sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevrunt, xrefs: 6D043AC6
sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileEx, xrefs: 6D043975, 6D043D1F
nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dlld.nx != 0profBlockstac, xrefs: 6D043A3E
mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 6D0439D3
mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdea, xrefs: 6D043D7D
mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 6D043D9C
swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D043922
sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executionattempte, xrefs: 6D04390C
mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D04399F, 6D043D49

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID: $ mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dlld.nx != 0profBlockstac$ previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$ sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileEx$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevrunt$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executionattempte$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-23978083
Opcode ID: 101fa563026ba59f421495580597ed8b3d01d29102f4f9ce075215a3084fed28
Instruction ID: 8f2b5dcac6af1463fd97c989e4adf6e3fe3ab816e4cb351b59d93ca059c06a25
Opcode Fuzzy Hash: 101fa563026ba59f421495580597ed8b3d01d29102f4f9ce075215a3084fed28
Instruction Fuzzy Hash: B08233B460C355CFE714DF24C180B6ABBE1BF89308F41896DE9D88B391D7749948CB92

Function 6D0213E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6D0213F0
LoadLibraryA.KERNEL32 ref: 6D021406
GetProcAddress.KERNEL32 ref: 6D021425
GetProcAddress.KERNEL32 ref: 6D021437

Strings

libgcc_s_dw2-1.dll, xrefs: 6D0213E9, 6D0213FF
__deregister_frame_info, xrefs: 6D02142C
__register_frame_info, xrefs: 6D02141A

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 66dd2c626b83e91fa35aa4825bed68b3ee4307e530d90eef3a86805d889e2354
Instruction ID: 49b7f32eb2b440a1ef6f88d4d2fba891a2ff1fd4ff728c93fe239af54c8748d3
Opcode Fuzzy Hash: 66dd2c626b83e91fa35aa4825bed68b3ee4307e530d90eef3a86805d889e2354
Instruction Fuzzy Hash: 4D0171B180A3209BE700BFB8A50972EFFF4EB82351F06452DD88997205E77154448BE3

Function 6D02BE4F Relevance: 12.0, Strings: 9, Instructions: 703COMMON

Download Yara Rule

Strings

mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential, xrefs: 6D02C7B0
delayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablecgo argument has Go pointer to unpinned Go pointerruntime: unabl, xrefs: 6D02C72A
malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated spanp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not found, xrefs: 6D02C784
4, xrefs: 6D02C777
unexpected malloc header in delayed zeroing of large objectmanual span allocation called with non-manually-managed typeaddr range base and limit are not in the same memory segmentruntime: netpoll: PostQueuedCompletionStatus failed (errno= runtime: GetQueuedCom, xrefs: 6D02C714
mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 6D02C76E
!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 6D02C219
malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no , xrefs: 6D02C79A
2, xrefs: 6D02C7B9

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$2$4$delayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablecgo argument has Go pointer to unpinned Go pointerruntime: unabl$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no $malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated spanp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not found$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $unexpected malloc header in delayed zeroing of large objectmanual span allocation called with non-manually-managed typeaddr range base and limit are not in the same memory segmentruntime: netpoll: PostQueuedCompletionStatus failed (errno= runtime: GetQueuedCom
API String ID: 0-4221549744
Opcode ID: 9f59aafc2bd8a4635c2b34ce5a0671cc85c6d8c548bc010864d464f8e5c0f59c
Instruction ID: 39c4e29b879f898f92201a530e61f4857f99baa5edbbc4b88a34c1698b5e4f3a
Opcode Fuzzy Hash: 9f59aafc2bd8a4635c2b34ce5a0671cc85c6d8c548bc010864d464f8e5c0f59c
Instruction Fuzzy Hash: A352BC706093558FE704CF29C09072ABBF1BF8A308F45896DE9988B392D775D949CF86

Function 6D092940 Relevance: 10.5, Strings: 7, Instructions: 1779COMMON

Download Yara Rule

Strings

)./]+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I, xrefs: 6D093FC4, 6D09428F, 6D0943D3, 6D0946B5
%!Weekday(complex128MessageBoxWbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamecrypt32.dllmswsock.dllsecur32.d, xrefs: 6D093FAA, 6D094275
0, xrefs: 6D093530
%!Month(avx512bwavx512vlFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dlld.nx != 0profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedcoroutinecopystackinterface ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B, xrefs: 6D0943B9, 6D09469B
0, xrefs: 6D093724
0, xrefs: 6D093647
0, xrefs: 6D093491

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID: %!Month(avx512bwavx512vlFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dlld.nx != 0profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedcoroutinecopystackinterface ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B$%!Weekday(complex128MessageBoxWbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamecrypt32.dllmswsock.dllsecur32.d$)./]+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I$0$0$0$0
API String ID: 0-2591048153
Opcode ID: 8545f669b658e9a5181c389bbc0da7364c1729c7686aaada03cd6902b8c62784
Instruction ID: 63dcca04fdbacb288f987b4b41e3df8babb038e71d8dc811843368fe4570316c
Opcode Fuzzy Hash: 8545f669b658e9a5181c389bbc0da7364c1729c7686aaada03cd6902b8c62784
Instruction Fuzzy Hash: 3D03E275A093828FD329CF18C09079EFBE1BFC8304F55892EE9999B351D770A945CB92

Function 6D077FB0 Relevance: 10.5, Strings: 8, Instructions: 515COMMON

Download Yara Rule

Strings

, xrefs: 6D07811F
fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault an, xrefs: 6D078627
pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcin, xrefs: 6D078681
sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit , xrefs: 6D078654
:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12, xrefs: 6D0784EB
non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard TimeCaucasus Standard , xrefs: 6D0787B3
, xrefs: 6D078127
(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12P, xrefs: 6D07840E

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID: $ $ fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault an$ pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcin$ sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit $(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12P$:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12$non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard TimeCaucasus Standard
API String ID: 0-1565611637
Opcode ID: e53288fe429d6f294f8c5fdf7bcafbe72c936f5b2c984de2d8c4867dc852430c
Instruction ID: 1b252435635f2eb8851d325d1ebf7bacf46c024936c5bcba414218aa543a6e67
Opcode Fuzzy Hash: e53288fe429d6f294f8c5fdf7bcafbe72c936f5b2c984de2d8c4867dc852430c
Instruction Fuzzy Hash: A732C07460C3818FE365DF25C180BAEBBE1AFC9304F45892EE9C99B351D7309845DB96

Function 6D0A4310 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6D0A4314
FormatMessageA.KERNEL32 ref: 6D0A4359
fprintf.MSVCRT ref: 6D0A4382
LocalFree.KERNEL32 ref: 6D0A438E

Strings

Erro: %s, xrefs: 6D0A4373

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessagefprintf
String ID: Erro: %s
API String ID: 659079672-2412703935
Opcode ID: e5e3c3e54cf48a0d4482581bfab2f52b6b17726b7972f7a0b881ea3abedd8454
Instruction ID: 608c5af2abe3094dc02d209d8453fbfcfcf20485c0dba07498aa07e11ab3b440
Opcode Fuzzy Hash: e5e3c3e54cf48a0d4482581bfab2f52b6b17726b7972f7a0b881ea3abedd8454
Instruction Fuzzy Hash: 3D018CB44083019FE700EF64D09832EFFF0AB89349F41891DE8999A255D7B881488F97

Function 6D05CE40 Relevance: 8.6, Strings: 6, Instructions: 1065COMMON

Download Yara Rule

Strings

findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a, xrefs: 6D05DEAC
findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi, xrefs: 6D05DEEE
findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r, xrefs: 6D05DED8
global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsruntime: typeBitsBulkBarrier without typeruntime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out, xrefs: 6D05DE96
findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for traceReg, xrefs: 6D05DEC2
!, xrefs: 6D05DEE1

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID: !$findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for traceReg$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsruntime: typeBitsBulkBarrier without typeruntime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out
API String ID: 0-3247796029
Opcode ID: fa46992d37cd147b7c8eb14e88b3e58128d13b355fa11e42d086940f14a46f97
Instruction ID: 6b7c7fac604431269d7ad602f2b8bf7ceb5f359334ef5955ce8080ddd901a100
Opcode Fuzzy Hash: fa46992d37cd147b7c8eb14e88b3e58128d13b355fa11e42d086940f14a46f97
Instruction Fuzzy Hash: D7A2E07860D3419FE720DF68C290B6ABBF1AF8A744F41882DE9D887350EB74D854CB52

Function 6D0A4A30 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 6D0A4A69
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D0213B9), ref: 6D0A4A7A
GetCurrentThreadId.KERNEL32 ref: 6D0A4A82
GetTickCount.KERNEL32 ref: 6D0A4A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D0213B9), ref: 6D0A4A99

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: d03885a1c0a4af4cb86f9acec83bda1c1dfadd802981dd075291c8e6698cb818
Instruction ID: c27911146e24e64f610a7e85cc845292196e6342881531b9ba064cdcdf9e4aa1
Opcode Fuzzy Hash: d03885a1c0a4af4cb86f9acec83bda1c1dfadd802981dd075291c8e6698cb818
Instruction Fuzzy Hash: 5A114FBA5583018BDB00DFB9E98875FBBF1FB89255F450939E445C7200EB35D4498792

Function 6D0A4AE0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6D0A4B2F
UnhandledExceptionFilter.KERNEL32 ref: 6D0A4B3F
GetCurrentProcess.KERNEL32 ref: 6D0A4B48
TerminateProcess.KERNEL32 ref: 6D0A4B59
abort.MSVCRT ref: 6D0A4B62

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: 71892d7926cc56749190543309bdade75fb1f22504b7446fcfbf9858767907ca
Instruction ID: 0eb225a8362ecbae6678142ea840f844f66a0832a983a03638edb46d9bae8a7c
Opcode Fuzzy Hash: 71892d7926cc56749190543309bdade75fb1f22504b7446fcfbf9858767907ca
Instruction Fuzzy Hash: 6D1116B9808201CFDB00EFA9D14972EBBF1FB4A306F458529E948D7302E7B49945CF52

Function 6D0A4ADC Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6D0A4B2F
UnhandledExceptionFilter.KERNEL32 ref: 6D0A4B3F
GetCurrentProcess.KERNEL32 ref: 6D0A4B48
TerminateProcess.KERNEL32 ref: 6D0A4B59
abort.MSVCRT ref: 6D0A4B62

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: 81047a8dece5a50d6f2b1ac257bb114c72dc231c2cc4e66636d5fbcd5d5e8292
Instruction ID: 32c170f379ef14d8fe89a8d74e09e2c7ff757516fc13c1e0e046d25e79af9271
Opcode Fuzzy Hash: 81047a8dece5a50d6f2b1ac257bb114c72dc231c2cc4e66636d5fbcd5d5e8292
Instruction Fuzzy Hash: 3C1109B5805201DFDB00EFA9E54976DBBF2FB06306F054519D949D7342EBB09845CF52

Function 6D0410D0 Relevance: 5.5, Strings: 4, Instructions: 494COMMON

Download Yara Rule

Strings

min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc called from dalTLDpSugct?GetTempPath2WModule32NextW, xrefs: 6D041650
runtime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckruntime.gopanicImper, xrefs: 6D04161C, 6D04166B
!, xrefs: 6D0416A8
min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce, xrefs: 6D04169F

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID: !$min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce$min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc called from dalTLDpSugct?GetTempPath2WModule32NextW$runtime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckruntime.gopanicImper
API String ID: 0-1474820873
Opcode ID: 817419a0c7d9dd27bd3e614dc226b91b59fbe9ffe35b40f1f14df32a708a2929
Instruction ID: 8a590e9b54ff69c30dd9494172c7f2e182812dd2e31c05c4103e7912b402764d
Opcode Fuzzy Hash: 817419a0c7d9dd27bd3e614dc226b91b59fbe9ffe35b40f1f14df32a708a2929
Instruction Fuzzy Hash: CCF1E2326093268FE711DE58C4C0B5EB7E2BBC8348F55CA3CD9949B385EB71E855C682

Function 6D0514C0 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

powrprof.dll, xrefs: 6D0514DD
', xrefs: 6D051519
', xrefs: 6D051521
PowerRegisterSuspendResumeNotification, xrefs: 6D05150F

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID: '$'$PowerRegisterSuspendResumeNotification$powrprof.dll
API String ID: 0-4026319467
Opcode ID: fe0c0a4aa0a49947814bf6080d5b58ab5fefb17e46ab4a00d41f7c03e1dd6d90
Instruction ID: daf3db1d4f0f59ac2edfedbf346c721e81b18c95fc1e15f29208c8ebe38f9d8c
Opcode Fuzzy Hash: fe0c0a4aa0a49947814bf6080d5b58ab5fefb17e46ab4a00d41f7c03e1dd6d90
Instruction Fuzzy Hash: FA21AFB4908342DFD704DF25C19476ABBF0BB89708F41891EE89987350E7759A58CF93

Function 6D056040 Relevance: 4.1, Strings: 3, Instructions: 316COMMON

Download Yara Rule

Strings

invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "permission deniedwrong medium typeno, xrefs: 6D0564C4
suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function 2006-01-02 15:04:05.999999999 -0700 MSTaddress family not supported by protocolinvalid span in heapArena, xrefs: 6D0564DA
', xrefs: 6D0564E3

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID: '$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "permission deniedwrong medium typeno$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function 2006-01-02 15:04:05.999999999 -0700 MSTaddress family not supported by protocolinvalid span in heapArena
API String ID: 0-536681504
Opcode ID: c35068b24cffce3f66401a0e56ccdf2a8cfc4d68120d6fe639e8e3f6e595ea9d
Instruction ID: c48397cb58bf802c6683bbd23b03ad530e8bb362a624f1fe5f7234f9de86671f
Opcode Fuzzy Hash: c35068b24cffce3f66401a0e56ccdf2a8cfc4d68120d6fe639e8e3f6e595ea9d
Instruction Fuzzy Hash: EED12F7460D3518FE705CF29C29072EBBF1AF8A748F85886DE8C48B352D735A954CB92

Function 6D0461A0 Relevance: 3.0, Strings: 2, Instructions: 472COMMON

Download Yara Rule

Strings

grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 6D046840
+, xrefs: 6D046849

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID: +$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
API String ID: 0-3347251187
Opcode ID: 12cca7669f31ea7d6566429d85952770bd8325b6555af8c833be6274eb6d6b61
Instruction ID: 9a2a39e8fbb67b4fb021443b29b02158ec59ab67b3c015d8757b7d663bc1cd0e
Opcode Fuzzy Hash: 12cca7669f31ea7d6566429d85952770bd8325b6555af8c833be6274eb6d6b61
Instruction Fuzzy Hash: 6D22DC7460D742DFE354DF68C190B6ABBE1BF8A604F51892DE9D887350EB34E844CB82

Function 6D04AD00 Relevance: 2.8, Strings: 2, Instructions: 280COMMON

Download Yara Rule

Strings

bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D04B085
@, xrefs: 6D04AF6E

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID: @$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
API String ID: 0-1191861649
Opcode ID: 6c12bf7415a16163fb6b6995e4c56c902a2debe5cb211aebc5ea65870e49f53d
Instruction ID: 87c6e7580e2bda03154a28deb8f91071045b45a7de7673a34848332db1fa31d4
Opcode Fuzzy Hash: 6c12bf7415a16163fb6b6995e4c56c902a2debe5cb211aebc5ea65870e49f53d
Instruction Fuzzy Hash: 14B18D756087058FD708CF64C49065EB7F1BFC8318F448A2DE9999B381DB74E95ACB82

Function 6D07F732 Relevance: 2.6, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 6D07F75D
, xrefs: 6D07F758

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 4fca2fa2e6bd2b2dd03f469efb7a2e209ad645ca197e80de85ee9154ef254858
Instruction ID: 0828d9155bea6c5394819d7741a7978f61d9a72a51955e53aef921b60c7b5bd6
Opcode Fuzzy Hash: 4fca2fa2e6bd2b2dd03f469efb7a2e209ad645ca197e80de85ee9154ef254858
Instruction Fuzzy Hash: 4E519314C1CF9B65E6330BBDC4027663B206EB3140B01D76FFDD6B64B2E7526940BA22

Function 6D03CB60 Relevance: 2.6, Strings: 2, Instructions: 88COMMON

Download Yara Rule

Strings

gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not , xrefs: 6D03CC41
,, xrefs: 6D03CC4A

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not
API String ID: 0-2682900153
Opcode ID: f19033d29862cc80ed423bd0d08ae8d572217f183f0c0a14db0d3bccbdd5b594
Instruction ID: b5befb5d01d5cf10fb23e28391e6211a951bb14155477ffd4b58902ceb65ebae
Opcode Fuzzy Hash: f19033d29862cc80ed423bd0d08ae8d572217f183f0c0a14db0d3bccbdd5b594
Instruction Fuzzy Hash: 5D318E75A0A7668FD305DF18C490B69B7F2ABC6208F4985BDCD484F383CB71984ACB85

Function 6D096240 Relevance: 1.9, Strings: 1, Instructions: 607COMMON

Download Yara Rule

Strings

,M3.2.0,M11.1.0RegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateD, xrefs: 6D0963DE

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID: ,M3.2.0,M11.1.0RegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateD
API String ID: 0-4001910974
Opcode ID: da06fd74b18ae0d703775e387f0bf4a5e2d4eab4c5234d356c10564ad825be8d
Instruction ID: 3de3584251eb628b8f355de445f781788b1b92adee37c3332f7437a0b6f38f41
Opcode Fuzzy Hash: da06fd74b18ae0d703775e387f0bf4a5e2d4eab4c5234d356c10564ad825be8d
Instruction Fuzzy Hash: 5B5215B5A083858FD334CF19C55079FBBE1ABC4304F45892DDAD89B381EBB5A9448B83

Function 6D04CA70 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pagespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: spl, xrefs: 6D04CDFB

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pagespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: spl
API String ID: 0-3032229779
Opcode ID: 21ffa25623d1c33b9672dcd30435224751a481d4944c472b13629f2a0c826828
Instruction ID: c6848946ddb78e9259fff8cfd450e2535beb6ccc32003323f9ad2719bca89273
Opcode Fuzzy Hash: 21ffa25623d1c33b9672dcd30435224751a481d4944c472b13629f2a0c826828
Instruction Fuzzy Hash: 6DB11778A09306DFD714DF68D180A2ABBF1BF89744F42892DE99587350E731E849CF86

Function 6D095100 Relevance: 1.5, Strings: 1, Instructions: 278COMMON

Download Yara Rule

Strings

;, xrefs: 6D0953EA

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: 6724e050a9a0a940cff635daabc3cf47411f3949626210de42c8c849ca7b18d4
Instruction ID: 10f5112894a8adeda580303ae4884d8e856b70c883765623b4c600260a66282f
Opcode Fuzzy Hash: 6724e050a9a0a940cff635daabc3cf47411f3949626210de42c8c849ca7b18d4
Instruction Fuzzy Hash: 05A19371B083054FD70CDE5DD95531EBAE2ABC8304F49CA3DE988CB3A4E674D9058B86

Function 6D049DA0 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

@, xrefs: 6D049FCC

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 49038ac990dbcaddbb727d5b9106f6b05f40698f40b110b95d023c331cfa999f
Instruction ID: 19b09a75eaf9c81c2048ad4459d11d88116f0d9035bcc571e82108c0603af2ce
Opcode Fuzzy Hash: 49038ac990dbcaddbb727d5b9106f6b05f40698f40b110b95d023c331cfa999f
Instruction Fuzzy Hash: A79130B5A09305DFD344CF28C180A5EBBE0FF89744F459A2DE99997341E734E984CB82

Function 6D097490 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11fd068aec0141a6684b3147be440a70d85316e41136454fc190092580382cb5
Instruction ID: 83a626ad0dc7de6bf81a7583b6034fe6790d21264cfe149f36909d8f2c52e42a
Opcode Fuzzy Hash: 11fd068aec0141a6684b3147be440a70d85316e41136454fc190092580382cb5
Instruction Fuzzy Hash: 87228272A1C7468FE724CF69C49035FB7E2BFC5304F85982DD9958B241EBB198099B82

Function 6D095590 Relevance: .5, Instructions: 530COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 499751167ae670b92242a6373316430256a9b9acf315e61057e17f98763b96e7
Instruction ID: f43c01241282190074fa9a6b2c5c264dff02cf967d4b4abbf9d0a8227ffc733e
Opcode Fuzzy Hash: 499751167ae670b92242a6373316430256a9b9acf315e61057e17f98763b96e7
Instruction Fuzzy Hash: 5A12A876A087098FD324DE6DC98435AF7E6BBC4300F55CA3DE9588B355EB70E9058B82

Function 6D04BAB0 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba0c34f7e5e4ef10a88e746cbcdbb1e35352fee69eef6e9bb0febd13f1114ce
Instruction ID: 67569dc5663e6e29e11722bf23926d7dc9fbe8e1e7e1cd53bf6e07b3763a2c14
Opcode Fuzzy Hash: 0ba0c34f7e5e4ef10a88e746cbcdbb1e35352fee69eef6e9bb0febd13f1114ce
Instruction Fuzzy Hash: 6AE11833B5971A8BE319DDAD88C075EB2D2ABC8354F09C63CDD649B381FA75D80986C1

Function 6D04B540 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 599f12c0d90dca14e91c42b52f8a1e9fca5498538febff2f323453ab3558c32a
Instruction ID: f93d3bdc4b105b32bded3ae5b34decc2187ce7f3d827d3c0704d25de47f9b526
Opcode Fuzzy Hash: 599f12c0d90dca14e91c42b52f8a1e9fca5498538febff2f323453ab3558c32a
Instruction Fuzzy Hash: A0E1C433E2472547E3149E58CC80249B2D2ABC8670F4EC73DDD95AB781E9B4ED5987C2

Function 6D096FB0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3638df91f75ffb7e8511824663fd95e0b654ea9cf32ac29804b17a829ecba5a6
Instruction ID: a3a14af184e2256c3dd0e66480e8f8c01e2ae7ae6af5fa02458f99666474f2ad
Opcode Fuzzy Hash: 3638df91f75ffb7e8511824663fd95e0b654ea9cf32ac29804b17a829ecba5a6
Instruction Fuzzy Hash: 9EE1AE72E1C3568BE319CF29849031FBBE2BBC5700F85992DE9958F341E77198059B82

Function 6D037DD0 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57fe0ac4fbbee9a5ed9e7360533308751211d4e2e4112e53935281c32d95c30a
Instruction ID: 084d197e5c144f142100c937be80b287c0f32f76e2f55ed5d01f7b1bddbcd453
Opcode Fuzzy Hash: 57fe0ac4fbbee9a5ed9e7360533308751211d4e2e4112e53935281c32d95c30a
Instruction Fuzzy Hash: 77C1C232B083268FD709DE6DC89071EBAD2ABC8344F4A863CE955DB3A5E775DC058781

Function 6D05E040 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a061cae1402763b90656d5390a09fe8ac45cae6e8dcfc83201f766e1c92e06fe
Instruction ID: a8a7a6dbd12e3eae5a4c37b1f60a2de00d252853eba315aa77bc94e58cb42496
Opcode Fuzzy Hash: a061cae1402763b90656d5390a09fe8ac45cae6e8dcfc83201f766e1c92e06fe
Instruction Fuzzy Hash: BAF1D17860C3918FD364CF29C190B5BBBE2BBC9304F54892EE9D887352DB70A855CB52

Function 6D0A1A00 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980d1fae41ca019f703fd9f3d481b0c29c153724d3b5fd7c5f857f29189c521d
Instruction ID: ed72e926d598b401fa8099d3929bb83d251b49ed13acad6b1f1f6f86d43076c3
Opcode Fuzzy Hash: 980d1fae41ca019f703fd9f3d481b0c29c153724d3b5fd7c5f857f29189c521d
Instruction Fuzzy Hash: E6C1627060432A4FC251CE5EDCC0A6A73D1AB8821DF91866D96448F7C3DA3AF46B97A4

Function 6D0A1640 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52172e311bc073cce8fc02d97064065706e812c00aeac84b2eda29856fe8ae45
Instruction ID: 3021a958202101910fdf470ca8d3f64878d3e4c3392a70fbded627b38196394a
Opcode Fuzzy Hash: 52172e311bc073cce8fc02d97064065706e812c00aeac84b2eda29856fe8ae45
Instruction Fuzzy Hash: 4FC1627060432A4FC251CE5EDCC0A6A73D1AB8821DF91866D9644CF7C3DA3AF46B97A4

Function 6D04C100 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506e3fd167de8d63939e59b3962988fe3f78e3e607c9ac0f0fa5bc6c82c48bb3
Instruction ID: ccb26fb6acba7d7380d81bcb7e4a0abc2acb2992128d19d973ec697e8cb01aab
Opcode Fuzzy Hash: 506e3fd167de8d63939e59b3962988fe3f78e3e607c9ac0f0fa5bc6c82c48bb3
Instruction Fuzzy Hash: 3991683260972A8FE719DE98C4D0A5EB3E2FBC8344F59C73CD9650B381EB71990D8685

Function 6D04C460 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1b598d6b071734348c355f492b837969b264d832735180a2033cbc55362bf5
Instruction ID: 8cac3d0cfc167e1dae6a6d9df68a0bde6e6fde113478b25476dd22e404e45df6
Opcode Fuzzy Hash: 4a1b598d6b071734348c355f492b837969b264d832735180a2033cbc55362bf5
Instruction Fuzzy Hash: 1481183764873A8FE716CDA888D0B5D72D2ABC8324F45C63CD9749B3C5EB75980982C5

Function 6D04A790 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae07067f0086f0b26ec691c47849dc8de327861c6ef58a69e3c948659a41918
Instruction ID: 1619ebc5ed22017e6e1dd463e4e51aba0b6f8f1b463f44ab1aa1d162242247e0
Opcode Fuzzy Hash: 0ae07067f0086f0b26ec691c47849dc8de327861c6ef58a69e3c948659a41918
Instruction Fuzzy Hash: 6B91C876A187184BD304DE59CCC0659B3E2BBC8324F49C63CE8A89B341E674EE49CB81

Function 6D023620 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73113e0ed0139e0a830a8668abe9b08c79aeb0cb90e278a8f98e2436c5f88a1a
Instruction ID: ac15aa0471a8580720372bbfca35d1f22de3628a88b07301b78219cbfb89b42d
Opcode Fuzzy Hash: 73113e0ed0139e0a830a8668abe9b08c79aeb0cb90e278a8f98e2436c5f88a1a
Instruction Fuzzy Hash: 6F81F9B2A183108FC314DF29D880A5AF7E2BFC9748F46892DF988D7311D771E9158B86

Function 6D048A50 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2924d4cf8e9929c20248a2c83d62827ca5d4d113a240acd888618fb56db10f9e
Instruction ID: ea21b527de410f57af2e9fad046676cafb208b8ccd5c912b411eb46448619f57
Opcode Fuzzy Hash: 2924d4cf8e9929c20248a2c83d62827ca5d4d113a240acd888618fb56db10f9e
Instruction Fuzzy Hash: E891CAB4909345DFD348CF28C080A1ABBE0BF89748F419E6EE99997351D730E945CF86

Function 6D023000 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807949b0d967baed773fbb20f9470c3b7671d7ac86fc861b68fa84ed8a177dc8
Instruction ID: 47c6176feb15e81c70ae6931ac59d4182ec94bba9cc5f6a93c0cc7f0ee239b60
Opcode Fuzzy Hash: 807949b0d967baed773fbb20f9470c3b7671d7ac86fc861b68fa84ed8a177dc8
Instruction Fuzzy Hash: 4561A87090C3A44AE31D9F6E84A503EFFE15BCA701F444E6EF5E603382D9B49505DBAA

Function 6D04D525 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac723ccbba1f81a982887a6f2356bfddcbeedeb04901012d33b53fa7e6963d7
Instruction ID: a5da313879d068c35226ad21997a71d3fd2e65e6def0a8b79260df1f8de03a3f
Opcode Fuzzy Hash: 9ac723ccbba1f81a982887a6f2356bfddcbeedeb04901012d33b53fa7e6963d7
Instruction Fuzzy Hash: 7D51AAB17093228FD318DF69C590A1AB7E0FF88604F05867CE9899B392D770E845CBC2

Function 6D02CA60 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 968a269816fdd984a014b83665b31254b2f6046a9f8b383fae9f2d5eae89dfcf
Instruction ID: 94a5c88471c8f97fd5b124deb6434d9f9e4c6753cb4cebddb4b1a7094a6b964c
Opcode Fuzzy Hash: 968a269816fdd984a014b83665b31254b2f6046a9f8b383fae9f2d5eae89dfcf
Instruction Fuzzy Hash: 1241B370908F058FD306DE39C45031AB3E5BFCA394F54872DE95AAB352EB719882CB45

Function 6D030830 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d08ab83b360a8e8ab420e1cdd2098f0766bd9506dabc25b5ec6c6e985c565f2
Instruction ID: 29f32802303431fd1151ad7262a10dfc875e7cbbd0ba1476906f537238fbd8e5
Opcode Fuzzy Hash: 5d08ab83b360a8e8ab420e1cdd2098f0766bd9506dabc25b5ec6c6e985c565f2
Instruction Fuzzy Hash: CE31457381972D8BD300AF498C40259F7E2AAD0B20F5F8A5ED9A417701DBB0AA15CBC7

Function 6D0292E0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e605d37f069b5564e370883fae52ff5f888373ea9c3398f6e9ff1fefb1e40888
Instruction ID: 9e2012b7062090a18328dd409771cb54b0320a33b9d5997b00671bb4f988ac05
Opcode Fuzzy Hash: e605d37f069b5564e370883fae52ff5f888373ea9c3398f6e9ff1fefb1e40888
Instruction Fuzzy Hash: 1D21F631B48215CBEB0CCF39E8E022AF7F2BBCA310756856CD445CB6A4DA74A905C756

Function 6D066730 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0b871407ae912cdeae2c591e7b28230dcfc2ffa374ce2c6a7ebb1d4a80e2ff
Instruction ID: f030f459fe3a2bc082ce6d68d4bcbb3176dad8d2af687d638c8b6d7577e64979
Opcode Fuzzy Hash: 8c0b871407ae912cdeae2c591e7b28230dcfc2ffa374ce2c6a7ebb1d4a80e2ff
Instruction Fuzzy Hash: 65111BB4740B128FC348DF59C0D4966B3E1FBCE210B4682BDDA4A8B767C7B0A811DB85

Function 6D080F80 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8824b781156f454ea3553826e19e07323e6e2b2d4f264b6cc0020fda82c58bda
Instruction ID: 7c91ba18ab6d9ad4fe9e31d04e811382aa9d3dbcc973b1a6a8f7e78c71fa7cc4
Opcode Fuzzy Hash: 8824b781156f454ea3553826e19e07323e6e2b2d4f264b6cc0020fda82c58bda
Instruction Fuzzy Hash: FFC09BB091F3669DFB51CB2ED14035ABEE09BC6740FC0C49DB14843557C374C6809755

Function 6D0A4659 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 6D0A468B
abort.MSVCRT ref: 6D0A4690
EnterCriticalSection.KERNEL32 ref: 6D0A46AF
LeaveCriticalSection.KERNEL32 ref: 6D0A46C9
SetEvent.KERNEL32 ref: 6D0A46DA
fwrite.MSVCRT ref: 6D0A4713
abort.MSVCRT ref: 6D0A4718
EnterCriticalSection.KERNEL32 ref: 6D0A472A
LeaveCriticalSection.KERNEL32 ref: 6D0A4743

Strings

unexpected cgo_bindm on Windows, xrefs: 6D0A4684
;, xrefs: 6D0A46F8
runtime: failed to signal runtime initialization complete., xrefs: 6D0A470C

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeaveabortfwrite$Event
String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
API String ID: 3057923235-924395932
Opcode ID: 08d1e5b7139d12237b1fb3314f2d034d2ba5d019f75a25a0e6591aea0ca726b2
Instruction ID: 16036530ea22714318500440599c33cf3c5419aa564a17612e0410ac06a876cc
Opcode Fuzzy Hash: 08d1e5b7139d12237b1fb3314f2d034d2ba5d019f75a25a0e6591aea0ca726b2
Instruction Fuzzy Hash: 091185B54087119FEB00FFB8D10D32EBAF0BB42706F46491CD985AB206DBB5955A8F53

Function 6D0A4C80 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6D0A4D0D

Strings

@, xrefs: 6D0A4D58
VirtualProtect failed with code 0x%x, xrefs: 6D0A4D7A
Address %p has no image-section, xrefs: 6D0A4DBB
VirtualQuery failed for %d bytes at address %p, xrefs: 6D0A4DA7

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
API String ID: 1804819252-1098444051
Opcode ID: f3d0dfcc96a2852aac8cf44660f91d53e569d1b34cc788097f7a8c9f953d591a
Instruction ID: edcc5887ef005b4455c01119d029e3a994f1fd16feba9a58f5292a3ad9238f26
Opcode Fuzzy Hash: f3d0dfcc96a2852aac8cf44660f91d53e569d1b34cc788097f7a8c9f953d591a
Instruction Fuzzy Hash: C54181BA9043019FE700DFA8D48476AFBF4FB89315F498919E858DB345E770E405CB92

Function 6D0A32D0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6D0A3306
mbstowcs.MSVCRT ref: 6D0A3335
_wcsnicmp.MSVCRT ref: 6D0A3392
strtol.MSVCRT ref: 6D0A33F2
lstrlenA.KERNEL32 ref: 6D0A3400
malloc.MSVCRT ref: 6D0A3469
SetLastError.KERNEL32 ref: 6D0A3483
free.MSVCRT ref: 6D0A34BA

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
String ID:
API String ID: 533997002-0
Opcode ID: bb3406870b1ad02c59467aecc725785bf363c03c72cc350a2668741c7002726f
Instruction ID: 43e9f064e3f6dbf9d0ee9e0ef18a9bf7543ea0b29dff047f92346cfadd502f14
Opcode Fuzzy Hash: bb3406870b1ad02c59467aecc725785bf363c03c72cc350a2668741c7002726f
Instruction Fuzzy Hash: 6751A1766083168FE700DFA9D48026EF7E5FBC8304F49892AE998D7211E774D949CB92

Function 6D0A4840 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6D0A484F
fwrite.MSVCRT ref: 6D0A489D
abort.MSVCRT ref: 6D0A48A2
free.MSVCRT ref: 6D0A48C5

Part of subcall function 6D0A4790: _beginthread.MSVCRT ref: 6D0A47B6
Part of subcall function 6D0A4790: _errno.MSVCRT ref: 6D0A47C1
Part of subcall function 6D0A4790: _errno.MSVCRT ref: 6D0A47C8
Part of subcall function 6D0A4790: fprintf.MSVCRT ref: 6D0A47E8
Part of subcall function 6D0A4790: abort.MSVCRT ref: 6D0A47ED

Strings

+, xrefs: 6D0A4882
runtime/cgo: out of memory in thread_start, xrefs: 6D0A4896

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
String ID: +$runtime/cgo: out of memory in thread_start
API String ID: 2633710936-1802439445
Opcode ID: c14d7c662be6c5f707b63f3d9b41b07a9f7a7493400961aa550afddc6ac3adfc
Instruction ID: 8e91da20fa3c0a4a7a9fe0602302242a59158d82251baedc3c5ab0f60e5ca156
Opcode Fuzzy Hash: c14d7c662be6c5f707b63f3d9b41b07a9f7a7493400961aa550afddc6ac3adfc
Instruction Fuzzy Hash: 1C21F9B85087409FD700EF68D48861ABBF0FF8A714F4A899DD9889B326D774D841CB92

Function 6D0A4490 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 6D0A44B2
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D0A4569), ref: 6D0A44CB
fwrite.MSVCRT ref: 6D0A4500
abort.MSVCRT ref: 6D0A4505

Strings

=, xrefs: 6D0A44E5
runtime: failed to create runtime initialization wait event., xrefs: 6D0A44F9

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: CreateCriticalEventInitializeSectionabortfwrite
String ID: =$runtime: failed to create runtime initialization wait event.
API String ID: 2455830200-3519180978
Opcode ID: fe4593fe0bf3d343ded6145869cf309966f377612e56b6784d2aa1b4cc8c0ff7
Instruction ID: d05e9d4ba9bd5c9e7192e30ab5e09d0c0e6337bcf25014af2f1e0ac41885fc7f
Opcode Fuzzy Hash: fe4593fe0bf3d343ded6145869cf309966f377612e56b6784d2aa1b4cc8c0ff7
Instruction Fuzzy Hash: 3DF0E1B44083029FF700FF68D00932EBAF0FB46716F86885DD49996142EBB9C0458F53

Function 6D021020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6D0212E0,?,?,?,?,?,?,6D0213A3), ref: 6D021057
_amsg_exit.MSVCRT ref: 6D021085

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: f1a3e12b43005a0f87e09441730effe0a7d11e0021d2d608b02d04ef230077c9
Instruction ID: 9cf9ba1915c42e0bd308a71adc94ea7bea36f4e72db06333abdf4cd4a1410ac6
Opcode Fuzzy Hash: f1a3e12b43005a0f87e09441730effe0a7d11e0021d2d608b02d04ef230077c9
Instruction Fuzzy Hash: 3741D0B16192418BFB01DF5DE48972EB7F1FB87301F458429D948CB206D7B29881CB83

Function 6D0A4D3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6D0A4D0D
VirtualProtect.KERNEL32 ref: 6D0A4D67
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D13CA28), ref: 6D0A4D74

Part of subcall function 6D0A5A10: fwrite.MSVCRT ref: 6D0A5A3F
Part of subcall function 6D0A5A10: vfprintf.MSVCRT ref: 6D0A5A5F
Part of subcall function 6D0A5A10: abort.MSVCRT ref: 6D0A5A64

Strings

@, xrefs: 6D0A4D58
VirtualProtect failed with code 0x%x, xrefs: 6D0A4D7A

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$@
API String ID: 1616349570-2953866262
Opcode ID: 870f2bc17a77be32264c3193a7a5f451f0cee24407bbe6a5e219218567f24eba
Instruction ID: ff6126d2f297a525871074d7aa8ff98f2cf903baa7dfc0b53609b2010aad4565
Opcode Fuzzy Hash: 870f2bc17a77be32264c3193a7a5f451f0cee24407bbe6a5e219218567f24eba
Instruction Fuzzy Hash: 5B2159BA9043029FE700DF68D488729FBF0FB89319F498A19E998C7255E770E4058B52

Function 6D0A34E0 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

bsearch.MSVCRT ref: 6D0A353F
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6D0A43CF), ref: 6D0A357A
malloc.MSVCRT ref: 6D0A35A8
qsort.MSVCRT ref: 6D0A35F6

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: ErrorLastbsearchmallocqsort
String ID:
API String ID: 1451747280-0
Opcode ID: eaf24daa35477542bb71094c62fa0872b792ca958bbc38ffdeedbbfde9615cfb
Instruction ID: 508705d6278c65aca31035ef8edb62d1f9e1a7b16e922794189e94f7db35aeaf
Opcode Fuzzy Hash: eaf24daa35477542bb71094c62fa0872b792ca958bbc38ffdeedbbfde9615cfb
Instruction Fuzzy Hash: 11410B756083018FE710DFA9D48472AB7F5FF88314F49892DE88997362E774E454CB92

Function 6D0A4030 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 6D0A40D5
SetLastError.KERNEL32 ref: 6D0A40F7
SetLastError.KERNEL32 ref: 6D0A410B

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: ErrorLast$LocaleThread
String ID:
API String ID: 2451566642-0
Opcode ID: 7a1e46d7a43076396bbcbd90a78408a283e0980a6afacee5d2d1680442c130e7
Instruction ID: 558170775714057aebe9dd20de3c84aa6ec12fdcb1faae040ba42bccca342abc
Opcode Fuzzy Hash: 7a1e46d7a43076396bbcbd90a78408a283e0980a6afacee5d2d1680442c130e7
Instruction Fuzzy Hash: D321C574614201CBE700DB78C884B6AB7F1FF8A314F188A28E5A9CB391DF35E855CB52

Function 6D0A58B0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6D0A58C9
_unlock.MSVCRT ref: 6D0A58F1
calloc.MSVCRT ref: 6D0A593F

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
Instruction ID: 8182f0e2d6caf8fa70ca4a416e69abe5dfa3e9ad5a25d82a74b59a2731e4daaf
Opcode Fuzzy Hash: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
Instruction Fuzzy Hash: D6117C742182018BE7009FA8C48876A7BE4FF45320F9D8669D898DF286DB74D444CB52

Function 6D0A45C0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 6D0A45F0
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D0A2DB9), ref: 6D0A45FC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D0A2DB9), ref: 6D0A460E
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D0A2DB9), ref: 6D0A461E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D0A2DB9), ref: 6D0A4630

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ObjectSingleWait
String ID:
API String ID: 1755037574-0
Opcode ID: 609ecc82c27fbbcc545cd6a4b58e2a663790e893d5d3451f16382ce7985cef12
Instruction ID: ee091e00a539ee602a7283501a02a08a4321e9cf6ecb2e7bc2c62d3284fa7440
Opcode Fuzzy Hash: 609ecc82c27fbbcc545cd6a4b58e2a663790e893d5d3451f16382ce7985cef12
Instruction Fuzzy Hash: 8E018CB44043058BEB00FFB9A58961ABBF4EB47712F050528D89487242DBB0E44ACFA3

Function 6D0A5A10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6D0A5A3F
vfprintf.MSVCRT ref: 6D0A5A5F
abort.MSVCRT ref: 6D0A5A64

Strings

Mingw-w64 runtime failure:, xrefs: 6D0A5A38

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: abortfwritevfprintf
String ID: Mingw-w64 runtime failure:
API String ID: 3176311984-2889761391
Opcode ID: 32843ec011bed64b5f5b7e1d1081494c9df58f4e13ac2a7746f139ac803c38dc
Instruction ID: ce1d02bf6bf3a28dfedc52e2491b745d3560c136d9825d165ecd120d31a2a617
Opcode Fuzzy Hash: 32843ec011bed64b5f5b7e1d1081494c9df58f4e13ac2a7746f139ac803c38dc
Instruction Fuzzy Hash: DAE0C9B440D3009EE300AFA8C08932EBAF4BF84758F86C91CD5C85B242D7788484CF53

Function 6D0A4DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D0212A5), ref: 6D0A4EE9

Strings

Unknown pseudo relocation bit size %d., xrefs: 6D0A4F79
Unknown pseudo relocation protocol version %d., xrefs: 6D0A5044

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 35a4231b9569cc9496ebb89bef5b0cbfd1fb20bf4d13d4b06a1e71f7d36259c5
Instruction ID: 36f4e790a8f509f94a3f22c0c7d237bbf6181870312193b0af8968cf5d26b60c
Opcode Fuzzy Hash: 35a4231b9569cc9496ebb89bef5b0cbfd1fb20bf4d13d4b06a1e71f7d36259c5
Instruction Fuzzy Hash: 0B61E839A142359FEB10CFA9D4C076DB7F6FB49314F1A8129D9199B346D771E802CB81

Function 6D0A43A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6D0A4408

Part of subcall function 6D0A34E0: bsearch.MSVCRT ref: 6D0A353F

fprintf.MSVCRT ref: 6D0A443C

Strings

$, xrefs: 6D0A43ED

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: bsearchfprintffwrite
String ID: $
API String ID: 1110293247-3993045852
Opcode ID: b1ac176bcc04732e60142305c677ba0665f8e5d5eecb0b6018680501e5cad7ec
Instruction ID: 7f0a25a13157890d34c69448fc4b0b0b6da03d9fcc49d656855e6d4d611a832c
Opcode Fuzzy Hash: b1ac176bcc04732e60142305c677ba0665f8e5d5eecb0b6018680501e5cad7ec
Instruction Fuzzy Hash: FA01C9B944D3119FE700AFA8944935EFBF4BB48758F0A891EE98997202E775C440CB53

Function 6D0A3630 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

free.MSVCRT ref: 6D0A3652
free.MSVCRT ref: 6D0A3692
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,6D0A3BBA), ref: 6D0A36BB
HeapFree.KERNEL32 ref: 6D0A36D0

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: Heapfree$FreeProcess
String ID:
API String ID: 3425746932-0
Opcode ID: bcef8d0db6f3571554458a764e3d37262d0c7c239aec41215f85eb61eab56a12
Instruction ID: 61db75ef255a736db943b0d1e6ea9c03477c38db8f664a7a12b0ee239fe44f5b
Opcode Fuzzy Hash: bcef8d0db6f3571554458a764e3d37262d0c7c239aec41215f85eb61eab56a12
Instruction Fuzzy Hash: B221E5B5A096018BEB00DFA5C1C872ABBE1BF88704F59C96CD8898B30AD734D845CB91

Function 6D0A5050 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6D0A505E
TlsGetValue.KERNEL32 ref: 6D0A5085
GetLastError.KERNEL32 ref: 6D0A508C
LeaveCriticalSection.KERNEL32 ref: 6D0A50AC

Memory Dump Source

Source File: 00000003.00000002.2459387655.000000006D021000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D020000, based on PE: true

Associated: 00000003.00000002.2459358498.000000006D020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459484212.000000006D0A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459504054.000000006D0A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459530566.000000006D0A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459554462.000000006D0AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459616711.000000006D13F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D145000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459638702.000000006D149000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459686765.000000006D17D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459706559.000000006D184000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459724570.000000006D185000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2459752680.000000006D188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d020000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 928e88f5ad27e88eb20e4c3e84da948899f622f74f62e8309c635e30a3abaf21
Instruction ID: 972cf05c0bbea879c4938e6c455d1ad587fea196b4e71752203fd13a7d1ac0ee
Opcode Fuzzy Hash: 928e88f5ad27e88eb20e4c3e84da948899f622f74f62e8309c635e30a3abaf21
Instruction Fuzzy Hash: B6F031B59042158BEB10FFB8E589A2E7BB4FA46351B090528DD459720AE771A805CBE3

Analysis Process: rundll32.exePID: 3028, Parent PID: 7000COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Executed Functions

Function 6CD54790 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_beginthread.MSVCRT ref: 6CD547B6
_errno.MSVCRT ref: 6CD547C1
_errno.MSVCRT ref: 6CD547C8
fprintf.MSVCRT ref: 6CD547E8
abort.MSVCRT ref: 6CD547ED
Sleep.KERNEL32 ref: 6CD54806

Strings

runtime: failed to create new OS thread (%d), xrefs: 6CD547D9

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: _errno$Sleep_beginthreadabortfprintf
String ID: runtime: failed to create new OS thread (%d)
API String ID: 1261927973-3231778263
Opcode ID: 3d2226cd71bccdb7f5b4c7bb14b6b89db693580613c190fa0702e31875969b89
Instruction ID: e5648f7c741986de8d235ad984a3124904f2285a4f68c50b9f18306efdbcc3bf
Opcode Fuzzy Hash: 3d2226cd71bccdb7f5b4c7bb14b6b89db693580613c190fa0702e31875969b89
Instruction Fuzzy Hash: 4901697550A304DFCB00BF69D88811EBFB4FF8A329F86495DE58983721D731A464DAA3

Function 6CD31D40 Relevance: 1.3, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 6CD31D68

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction ID: f67a38d8c22db79ee838f06de647be82a1a3aa372bbaf166850f0c1293c03f90
Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction Fuzzy Hash: E4E0E571505700CFCB15DF18C2C1306BBE1EB49A00F4485A8DE098FB4AD734ED10CB92

Non-executed Functions

Function 6CD54AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6CD54B2F
UnhandledExceptionFilter.KERNEL32 ref: 6CD54B3F
GetCurrentProcess.KERNEL32 ref: 6CD54B48
TerminateProcess.KERNEL32 ref: 6CD54B59
abort.MSVCRT ref: 6CD54B62

Strings

4l, xrefs: 6CD54B38

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID: 4l
API String ID: 520269711-1315691717
Opcode ID: 7993be3224fc1d3f828faea1761556bbbb585518974fcbe824198eac12958138
Instruction ID: cf188eb6b12588fd0c2186ffe03689c3b9b6175aeda182fa41ae3ed57241ab66
Opcode Fuzzy Hash: 7993be3224fc1d3f828faea1761556bbbb585518974fcbe824198eac12958138
Instruction Fuzzy Hash: 1411F8B5A05308CFDB10EF69C545A5EBBF4FB89304F408529E84887350E735A955CF56

Function 6CD54ADC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6CD54B2F
UnhandledExceptionFilter.KERNEL32 ref: 6CD54B3F
GetCurrentProcess.KERNEL32 ref: 6CD54B48
TerminateProcess.KERNEL32 ref: 6CD54B59
abort.MSVCRT ref: 6CD54B62

Strings

4l, xrefs: 6CD54B38

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID: 4l
API String ID: 520269711-1315691717
Opcode ID: 31ed2864b08cf8da9005abcc6b3d1965dfbad463a2d6965c328de28ddb5fd962
Instruction ID: 1d042990eb2199a2708194bd70069918338b850cefd7ce3ff5ad219488605618
Opcode Fuzzy Hash: 31ed2864b08cf8da9005abcc6b3d1965dfbad463a2d6965c328de28ddb5fd962
Instruction Fuzzy Hash: F01129B1A02208CFDB10EF7DC54965EBBF4FB4A304F404529E94997350E734A855CF96

Function 6CD54659 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 6CD5468B
abort.MSVCRT ref: 6CD54690
EnterCriticalSection.KERNEL32 ref: 6CD546AF
LeaveCriticalSection.KERNEL32 ref: 6CD546C9
SetEvent.KERNEL32 ref: 6CD546DA
fwrite.MSVCRT ref: 6CD54713
abort.MSVCRT ref: 6CD54718
EnterCriticalSection.KERNEL32 ref: 6CD5472A
LeaveCriticalSection.KERNEL32 ref: 6CD54743

Strings

unexpected cgo_bindm on Windows, xrefs: 6CD54684
;, xrefs: 6CD546F8
runtime: failed to signal runtime initialization complete., xrefs: 6CD5470C

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeaveabortfwrite$Event
String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
API String ID: 3057923235-924395932
Opcode ID: 226b47944081ddfaf47709f72862519c1d23da4e8e6f2b10446934095b6dd98f
Instruction ID: be676901eeb49d9bc930ab2fe8ff84bbcc1bc851d73b6f866f86220a10166837
Opcode Fuzzy Hash: 226b47944081ddfaf47709f72862519c1d23da4e8e6f2b10446934095b6dd98f
Instruction Fuzzy Hash: 6611C3B25096118FDB10BF78C10A35EBEF0BB46308F81491CD88947720EB75A469CBA3

Function 6CD54C80 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6CD54D0D

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 6CD54DA7
@, xrefs: 6CD54D58
VirtualProtect failed with code 0x%x, xrefs: 6CD54D7A
Address %p has no image-section, xrefs: 6CD54DBB

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
API String ID: 1804819252-1098444051
Opcode ID: b2998b2f3ff94c21864235824a45fba16bd14dc99f82a6caac5ff9bb2a3cad69
Instruction ID: 198a365c0d51e0ffa6e9e0b76eb30dcd07c70b8a9d4c97230328cda197248e1f
Opcode Fuzzy Hash: b2998b2f3ff94c21864235824a45fba16bd14dc99f82a6caac5ff9bb2a3cad69
Instruction Fuzzy Hash: 9B418DB6A05305DFDB10DF69D484A5AFBF0FB85314F958A19D8588B724E330F429CBA2

Function 6CCD13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6CCD13F0
LoadLibraryA.KERNEL32 ref: 6CCD1406
GetProcAddress.KERNEL32 ref: 6CCD1425
GetProcAddress.KERNEL32 ref: 6CCD1437

Strings

__deregister_frame_info, xrefs: 6CCD142C
__register_frame_info, xrefs: 6CCD141A
libgcc_s_dw2-1.dll, xrefs: 6CCD13E9, 6CCD13FF

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 0804e620dd8820f7ab0d2c446d6926b86494bf589a82ccb956c4d538e76576cc
Instruction ID: a04ef2f39bb9756246411b7a6aa1e21c64c8f8515e2157668536b05fca05a36d
Opcode Fuzzy Hash: 0804e620dd8820f7ab0d2c446d6926b86494bf589a82ccb956c4d538e76576cc
Instruction Fuzzy Hash: AD0188B29063049FDB107F7DA60631EBFF4EB46266F42452DD98987B14E730A454CBA3

Function 6CD532D0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CD53306
mbstowcs.MSVCRT ref: 6CD53335
_wcsnicmp.MSVCRT ref: 6CD53392
strtol.MSVCRT ref: 6CD533F2
lstrlenA.KERNEL32 ref: 6CD53400
malloc.MSVCRT ref: 6CD53469
SetLastError.KERNEL32 ref: 6CD53483
free.MSVCRT ref: 6CD534BA

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
String ID:
API String ID: 533997002-0
Opcode ID: 6f6c0d2ee4ddeefac731e9e9582098494f9c29a3f78ef1f5debdbf3ad681c734
Instruction ID: 3542bf060883136b1ba86c99cdde3b3141ebfd5bc8668da094b8816a5fbbc1ac
Opcode Fuzzy Hash: 6f6c0d2ee4ddeefac731e9e9582098494f9c29a3f78ef1f5debdbf3ad681c734
Instruction Fuzzy Hash: 9D519F766083158FDB01DF29C48026AF7E5FFC8304F85892EE898D7620E774D969CB92

Function 6CD54840 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6CD5484F
fwrite.MSVCRT ref: 6CD5489D
abort.MSVCRT ref: 6CD548A2
free.MSVCRT ref: 6CD548C5

Part of subcall function 6CD54790: _beginthread.MSVCRT ref: 6CD547B6
Part of subcall function 6CD54790: _errno.MSVCRT ref: 6CD547C1
Part of subcall function 6CD54790: _errno.MSVCRT ref: 6CD547C8
Part of subcall function 6CD54790: fprintf.MSVCRT ref: 6CD547E8
Part of subcall function 6CD54790: abort.MSVCRT ref: 6CD547ED

Strings

runtime/cgo: out of memory in thread_start, xrefs: 6CD54896
+, xrefs: 6CD54882

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
String ID: +$runtime/cgo: out of memory in thread_start
API String ID: 2633710936-1802439445
Opcode ID: fd859e82fb3661fc4fc07427f1b206ce9d3a7cb597c56648bb1e364e078bf4e1
Instruction ID: 2603714d51566cb712ed9165fc55cb4866466bc7247b452f3fac90f9c67933cc
Opcode Fuzzy Hash: fd859e82fb3661fc4fc07427f1b206ce9d3a7cb597c56648bb1e364e078bf4e1
Instruction Fuzzy Hash: 0F21E3B59047008FCB00AF28D48591AFBF4FF89314F85899DE9888B725E3359865CFA2

Function 6CD54490 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 6CD544B2
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CD54569), ref: 6CD544CB
fwrite.MSVCRT ref: 6CD54500
abort.MSVCRT ref: 6CD54505

Strings

=, xrefs: 6CD544E5
runtime: failed to create runtime initialization wait event., xrefs: 6CD544F9

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: CreateCriticalEventInitializeSectionabortfwrite
String ID: =$runtime: failed to create runtime initialization wait event.
API String ID: 2455830200-3519180978
Opcode ID: 1f0a6b7467d21ad1adaf3d8cc8ea4ecd9ad7729f8bf49c1b15588fd259063571
Instruction ID: 82aeb23a7a0be8538f89a57cdb5d94b30e10e3aa3e2390b17346ca9febfd49dc
Opcode Fuzzy Hash: 1f0a6b7467d21ad1adaf3d8cc8ea4ecd9ad7729f8bf49c1b15588fd259063571
Instruction Fuzzy Hash: 53F0E7B15093019FEB00BF68C40936EBEF0BB45309F91885DD89987660EBB99059CFA3

Function 6CCD1020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6CCD12E0,?,?,?,?,?,?,6CCD13A3), ref: 6CCD1057
_amsg_exit.MSVCRT ref: 6CCD1085

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 0d288db1a727cff0a85ab74140f6ec2078f873c9a98c658dc9cea8e422a3ae6d
Instruction ID: 5b4ee999720b112c5c2435a23550f79686c29e019ac15224c26075b38a21ffb4
Opcode Fuzzy Hash: 0d288db1a727cff0a85ab74140f6ec2078f873c9a98c658dc9cea8e422a3ae6d
Instruction Fuzzy Hash: 0541D1B17082008BEB10AF5EC586B1AB7F1FB85324F518529D64CCBB01E735F881CBA2

Function 6CD54D3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6CD54D0D
VirtualProtect.KERNEL32 ref: 6CD54D67
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CDECA28), ref: 6CD54D74

Part of subcall function 6CD55A10: fwrite.MSVCRT ref: 6CD55A3F
Part of subcall function 6CD55A10: vfprintf.MSVCRT ref: 6CD55A5F
Part of subcall function 6CD55A10: abort.MSVCRT ref: 6CD55A64

Strings

@, xrefs: 6CD54D58
VirtualProtect failed with code 0x%x, xrefs: 6CD54D7A

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$@
API String ID: 1616349570-2953866262
Opcode ID: aea2b34f7587f300b921fb7b83badf71bbdae122998d772205084e80066b0018
Instruction ID: e4b6658707ac3615b87c6a47bc03036ce857a6684082a53ba3e39dabfd2f686f
Opcode Fuzzy Hash: aea2b34f7587f300b921fb7b83badf71bbdae122998d772205084e80066b0018
Instruction Fuzzy Hash: DB2138B6905305DFDB00DF28D48465AFBF0BF89318F948A29D89887724E330E529CF62

Function 6CD54310 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6CD54314
FormatMessageA.KERNEL32 ref: 6CD54359
fprintf.MSVCRT ref: 6CD54382
LocalFree.KERNEL32 ref: 6CD5438E

Strings

Erro: %s, xrefs: 6CD54373

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessagefprintf
String ID: Erro: %s
API String ID: 659079672-2412703935
Opcode ID: c2be5d63f80ca6081c708957bb42359bf8d5b37fb6e3c95bcce3b61f8241c74b
Instruction ID: fc8b05462ec95f3e56c5e95bf69d7ae9ba709337ef0eac20520a59aefa8f4b37
Opcode Fuzzy Hash: c2be5d63f80ca6081c708957bb42359bf8d5b37fb6e3c95bcce3b61f8241c74b
Instruction Fuzzy Hash: 95014DB1509305DFEB00AF68C18931EBFF4AB88349F41891DE8989A364E7799158CF97

Function 6CD534E0 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

bsearch.MSVCRT ref: 6CD5353F
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CD543CF), ref: 6CD5357A
malloc.MSVCRT ref: 6CD535A8
qsort.MSVCRT ref: 6CD535F6

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: ErrorLastbsearchmallocqsort
String ID:
API String ID: 1451747280-0
Opcode ID: eccaaa2c01905a34f425209aa055237ab7f088600970dd64871c2902dbef395f
Instruction ID: 3b66f2a1dfef4dd5fa52546651be6345be376580171116e1dcaa9bacda9b0c06
Opcode Fuzzy Hash: eccaaa2c01905a34f425209aa055237ab7f088600970dd64871c2902dbef395f
Instruction Fuzzy Hash: 98413B75A083018FDB10DF69C48062ABBF1FF84354F95892DE88987724E774E868CB92

Function 6CD54030 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 6CD540D5
SetLastError.KERNEL32 ref: 6CD540F7
SetLastError.KERNEL32 ref: 6CD5410B

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: ErrorLast$LocaleThread
String ID:
API String ID: 2451566642-0
Opcode ID: 068c1274564739db14b9e3177fb177ee5e188fc2b53cf9bb8b01b077deb9fae4
Instruction ID: 96d5304068a2863b6b361c22ae4ab8eee9d04720428ed65c7321f1ff5a8e7707
Opcode Fuzzy Hash: 068c1274564739db14b9e3177fb177ee5e188fc2b53cf9bb8b01b077deb9fae4
Instruction Fuzzy Hash: 1F21A770605204CBDB009B39C944657B7F5AF85318F648A28E9A9CB3A0DB35F876CB53

Function 6CD558B0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6CD558C9
_unlock.MSVCRT ref: 6CD558F1
calloc.MSVCRT ref: 6CD5593F

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
Instruction ID: 9863899a42f65f0800ce15c206419dd7bb756ada8fdb71db4ab81f59e0e2555d
Opcode Fuzzy Hash: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
Instruction Fuzzy Hash: 51114FB4505201CBDF019F28C48075ABBE4FF45364F948669D4A8CB7A5FB38E854CB62

Function 6CD54A30 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 6CD54A69
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CCD13B9), ref: 6CD54A7A
GetCurrentThreadId.KERNEL32 ref: 6CD54A82
GetTickCount.KERNEL32 ref: 6CD54A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CCD13B9), ref: 6CD54A99

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: c6c14971cb0b4e5e3c7cb405e9591e792eb1317a4d9815ea066397419d274a7a
Instruction ID: ca93d81bdd41655e2b33e84be0b244e4a28f4b93edebe052a5262107b51f2bfb
Opcode Fuzzy Hash: c6c14971cb0b4e5e3c7cb405e9591e792eb1317a4d9815ea066397419d274a7a
Instruction Fuzzy Hash: FA118FB66053048BCB10EF79E88855BBBF4FB89258F400839E548C7310EA34D4588B92

Function 6CD545C0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 6CD545F0
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CD52DB9), ref: 6CD545FC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CD52DB9), ref: 6CD5460E
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CD52DB9), ref: 6CD5461E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CD52DB9), ref: 6CD54630

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ObjectSingleWait
String ID:
API String ID: 1755037574-0
Opcode ID: 295d8d2c530121d858de779e1c10cce7a787f724cc4d7ac113e604616238707d
Instruction ID: f31cc6879ed1ec3c45f70bf5be242908145902fd632e54afbdead7c3e0f9e272
Opcode Fuzzy Hash: 295d8d2c530121d858de779e1c10cce7a787f724cc4d7ac113e604616238707d
Instruction Fuzzy Hash: 0E0171F26043298BDB10BF79D58691ABBF4AF42314F11052DD89847750D630F46ACBA3

Function 6CD55A10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6CD55A3F
vfprintf.MSVCRT ref: 6CD55A5F
abort.MSVCRT ref: 6CD55A64

Strings

Mingw-w64 runtime failure:, xrefs: 6CD55A38

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: abortfwritevfprintf
String ID: Mingw-w64 runtime failure:
API String ID: 3176311984-2889761391
Opcode ID: a4009c21048fcaf54abb19176b9fda439c86e722934b2264d51d6c8b6dc3f692
Instruction ID: 957a14ecde1a3691d3dac0cad13f672172e79f20c3b6c2fcf0fd985c3375c2f1
Opcode Fuzzy Hash: a4009c21048fcaf54abb19176b9fda439c86e722934b2264d51d6c8b6dc3f692
Instruction Fuzzy Hash: 04E0C2B040A3009EC701AF68C08529EFEF8BF88358F81891CD4C947B61E7789498CF63

Function 6CD54DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CCD12A5), ref: 6CD54EE9

Strings

Unknown pseudo relocation protocol version %d., xrefs: 6CD55044
Unknown pseudo relocation bit size %d., xrefs: 6CD54F79

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 06531439d0bb3cefdcadcb361445b8261d48a1a7c97c6cd11cc68af693ce0eac
Instruction ID: 0e68f38b06256f9f382b1ef677dad29ddd6abfda776946000fdc5a0f77e9e2bc
Opcode Fuzzy Hash: 06531439d0bb3cefdcadcb361445b8261d48a1a7c97c6cd11cc68af693ce0eac
Instruction Fuzzy Hash: 0161CF72B042159BCF14DF6DC4C0699BBF5BB89318F948269D8199BB20D331F876CB92

Function 6CD543A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6CD54408

Part of subcall function 6CD534E0: bsearch.MSVCRT ref: 6CD5353F

fprintf.MSVCRT ref: 6CD5443C

Strings

$, xrefs: 6CD543ED

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: bsearchfprintffwrite
String ID: $
API String ID: 1110293247-3993045852
Opcode ID: 58bf40d7a9bc42aa8750854726835c66e408ec5a0dcd46b8c59f650e583bec5b
Instruction ID: 9b899b17e837f2b93253d414d24e50dc6f4d9aab048fe2272b85ce1f08ab1814
Opcode Fuzzy Hash: 58bf40d7a9bc42aa8750854726835c66e408ec5a0dcd46b8c59f650e583bec5b
Instruction Fuzzy Hash: 110117B5449310DFEB00AF28944925EFBE4AB48358F41882EE8C987720E3758464CB63

Function 6CD53630 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

free.MSVCRT ref: 6CD53652
free.MSVCRT ref: 6CD53692
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,6CD53BBA), ref: 6CD536BB
HeapFree.KERNEL32 ref: 6CD536D0

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: Heapfree$FreeProcess
String ID:
API String ID: 3425746932-0
Opcode ID: 7cfbb8c42aab637168ce88be1e7b11216ce97b07f68871891dcfa73305c6ddab
Instruction ID: da58e75c577a1a1f3e4642504bcf0ac8c66137dff46cd34f00f2ebc70d4a8f26
Opcode Fuzzy Hash: 7cfbb8c42aab637168ce88be1e7b11216ce97b07f68871891dcfa73305c6ddab
Instruction Fuzzy Hash: 2721E3B5A05301CBDB00AF25C5C871ABBF0BF84718F55C96CD8898B359E734D855CB92

Function 6CD55050 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6CD5505E
TlsGetValue.KERNEL32 ref: 6CD55085
GetLastError.KERNEL32 ref: 6CD5508C
LeaveCriticalSection.KERNEL32 ref: 6CD550AC

Memory Dump Source

Source File: 0000000E.00000002.2557146619.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 0000000E.00000002.2557074578.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557387116.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557467979.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557551151.000000006CD59000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557621329.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557828046.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2557897799.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558019004.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558076675.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558130736.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.2558185376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ccd0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: c45d6a929345d6b591a52c36fc765492b56d196ad21d233a0c7c8c9dfbd6f9be
Instruction ID: ed17913e7f27dd1ea6d9d5ebb2c80cd8c4f94ac809d26896ac5eb9c54aaa1741
Opcode Fuzzy Hash: c45d6a929345d6b591a52c36fc765492b56d196ad21d233a0c7c8c9dfbd6f9be
Instruction Fuzzy Hash: 0EF0AFB2A052189BDF10BF7DD48591A7BB4FB46304B560528DD498B319E631B815CBE3

Analysis Process: rundll32.exePID: 5644, Parent PID: 7000COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Executed Functions

Function 6CD54790 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_beginthread.MSVCRT ref: 6CD547B6
_errno.MSVCRT ref: 6CD547C1
_errno.MSVCRT ref: 6CD547C8
fprintf.MSVCRT ref: 6CD547E8
abort.MSVCRT ref: 6CD547ED
Sleep.KERNEL32 ref: 6CD54806

Strings

runtime: failed to create new OS thread (%d), xrefs: 6CD547D9

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: _errno$Sleep_beginthreadabortfprintf
String ID: runtime: failed to create new OS thread (%d)
API String ID: 1261927973-3231778263
Opcode ID: 3d2226cd71bccdb7f5b4c7bb14b6b89db693580613c190fa0702e31875969b89
Instruction ID: e5648f7c741986de8d235ad984a3124904f2285a4f68c50b9f18306efdbcc3bf
Opcode Fuzzy Hash: 3d2226cd71bccdb7f5b4c7bb14b6b89db693580613c190fa0702e31875969b89
Instruction Fuzzy Hash: 4901697550A304DFCB00BF69D88811EBFB4FF8A329F86495DE58983721D731A464DAA3

Function 6CD31D40 Relevance: 1.3, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 6CD31D68

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction ID: f67a38d8c22db79ee838f06de647be82a1a3aa372bbaf166850f0c1293c03f90
Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction Fuzzy Hash: E4E0E571505700CFCB15DF18C2C1306BBE1EB49A00F4485A8DE098FB4AD734ED10CB92

Non-executed Functions

Function 6CD54AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6CD54B2F
UnhandledExceptionFilter.KERNEL32 ref: 6CD54B3F
GetCurrentProcess.KERNEL32 ref: 6CD54B48
TerminateProcess.KERNEL32 ref: 6CD54B59
abort.MSVCRT ref: 6CD54B62

Strings

4l, xrefs: 6CD54B38

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID: 4l
API String ID: 520269711-1315691717
Opcode ID: 7993be3224fc1d3f828faea1761556bbbb585518974fcbe824198eac12958138
Instruction ID: cf188eb6b12588fd0c2186ffe03689c3b9b6175aeda182fa41ae3ed57241ab66
Opcode Fuzzy Hash: 7993be3224fc1d3f828faea1761556bbbb585518974fcbe824198eac12958138
Instruction Fuzzy Hash: 1411F8B5A05308CFDB10EF69C545A5EBBF4FB89304F408529E84887350E735A955CF56

Function 6CD54ADC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6CD54B2F
UnhandledExceptionFilter.KERNEL32 ref: 6CD54B3F
GetCurrentProcess.KERNEL32 ref: 6CD54B48
TerminateProcess.KERNEL32 ref: 6CD54B59
abort.MSVCRT ref: 6CD54B62

Strings

4l, xrefs: 6CD54B38

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID: 4l
API String ID: 520269711-1315691717
Opcode ID: 31ed2864b08cf8da9005abcc6b3d1965dfbad463a2d6965c328de28ddb5fd962
Instruction ID: 1d042990eb2199a2708194bd70069918338b850cefd7ce3ff5ad219488605618
Opcode Fuzzy Hash: 31ed2864b08cf8da9005abcc6b3d1965dfbad463a2d6965c328de28ddb5fd962
Instruction Fuzzy Hash: F01129B1A02208CFDB10EF7DC54965EBBF4FB4A304F404529E94997350E734A855CF96

Function 6CD54659 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 6CD5468B
abort.MSVCRT ref: 6CD54690
EnterCriticalSection.KERNEL32 ref: 6CD546AF
LeaveCriticalSection.KERNEL32 ref: 6CD546C9
SetEvent.KERNEL32 ref: 6CD546DA
fwrite.MSVCRT ref: 6CD54713
abort.MSVCRT ref: 6CD54718
EnterCriticalSection.KERNEL32 ref: 6CD5472A
LeaveCriticalSection.KERNEL32 ref: 6CD54743

Strings

runtime: failed to signal runtime initialization complete., xrefs: 6CD5470C
unexpected cgo_bindm on Windows, xrefs: 6CD54684
;, xrefs: 6CD546F8

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeaveabortfwrite$Event
String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
API String ID: 3057923235-924395932
Opcode ID: 226b47944081ddfaf47709f72862519c1d23da4e8e6f2b10446934095b6dd98f
Instruction ID: be676901eeb49d9bc930ab2fe8ff84bbcc1bc851d73b6f866f86220a10166837
Opcode Fuzzy Hash: 226b47944081ddfaf47709f72862519c1d23da4e8e6f2b10446934095b6dd98f
Instruction Fuzzy Hash: 6611C3B25096118FDB10BF78C10A35EBEF0BB46308F81491CD88947720EB75A469CBA3

Function 6CD54C80 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6CD54D0D

Strings

VirtualProtect failed with code 0x%x, xrefs: 6CD54D7A
@, xrefs: 6CD54D58
Address %p has no image-section, xrefs: 6CD54DBB
VirtualQuery failed for %d bytes at address %p, xrefs: 6CD54DA7

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
API String ID: 1804819252-1098444051
Opcode ID: b2998b2f3ff94c21864235824a45fba16bd14dc99f82a6caac5ff9bb2a3cad69
Instruction ID: 198a365c0d51e0ffa6e9e0b76eb30dcd07c70b8a9d4c97230328cda197248e1f
Opcode Fuzzy Hash: b2998b2f3ff94c21864235824a45fba16bd14dc99f82a6caac5ff9bb2a3cad69
Instruction Fuzzy Hash: 9B418DB6A05305DFDB10DF69D484A5AFBF0FB85314F958A19D8588B724E330F429CBA2

Function 6CCD13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6CCD13F0
LoadLibraryA.KERNEL32 ref: 6CCD1406
GetProcAddress.KERNEL32 ref: 6CCD1425
GetProcAddress.KERNEL32 ref: 6CCD1437

Strings

libgcc_s_dw2-1.dll, xrefs: 6CCD13E9, 6CCD13FF
__register_frame_info, xrefs: 6CCD141A
__deregister_frame_info, xrefs: 6CCD142C

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 0804e620dd8820f7ab0d2c446d6926b86494bf589a82ccb956c4d538e76576cc
Instruction ID: a04ef2f39bb9756246411b7a6aa1e21c64c8f8515e2157668536b05fca05a36d
Opcode Fuzzy Hash: 0804e620dd8820f7ab0d2c446d6926b86494bf589a82ccb956c4d538e76576cc
Instruction Fuzzy Hash: AD0188B29063049FDB107F7DA60631EBFF4EB46266F42452DD98987B14E730A454CBA3

Function 6CD532D0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CD53306
mbstowcs.MSVCRT ref: 6CD53335
_wcsnicmp.MSVCRT ref: 6CD53392
strtol.MSVCRT ref: 6CD533F2
lstrlenA.KERNEL32 ref: 6CD53400
malloc.MSVCRT ref: 6CD53469
SetLastError.KERNEL32 ref: 6CD53483
free.MSVCRT ref: 6CD534BA

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
String ID:
API String ID: 533997002-0
Opcode ID: 6f6c0d2ee4ddeefac731e9e9582098494f9c29a3f78ef1f5debdbf3ad681c734
Instruction ID: 3542bf060883136b1ba86c99cdde3b3141ebfd5bc8668da094b8816a5fbbc1ac
Opcode Fuzzy Hash: 6f6c0d2ee4ddeefac731e9e9582098494f9c29a3f78ef1f5debdbf3ad681c734
Instruction Fuzzy Hash: 9D519F766083158FDB01DF29C48026AF7E5FFC8304F85892EE898D7620E774D969CB92

Function 6CD54840 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6CD5484F
fwrite.MSVCRT ref: 6CD5489D
abort.MSVCRT ref: 6CD548A2
free.MSVCRT ref: 6CD548C5

Part of subcall function 6CD54790: _beginthread.MSVCRT ref: 6CD547B6
Part of subcall function 6CD54790: _errno.MSVCRT ref: 6CD547C1
Part of subcall function 6CD54790: _errno.MSVCRT ref: 6CD547C8
Part of subcall function 6CD54790: fprintf.MSVCRT ref: 6CD547E8
Part of subcall function 6CD54790: abort.MSVCRT ref: 6CD547ED

Strings

runtime/cgo: out of memory in thread_start, xrefs: 6CD54896
+, xrefs: 6CD54882

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
String ID: +$runtime/cgo: out of memory in thread_start
API String ID: 2633710936-1802439445
Opcode ID: fd859e82fb3661fc4fc07427f1b206ce9d3a7cb597c56648bb1e364e078bf4e1
Instruction ID: 2603714d51566cb712ed9165fc55cb4866466bc7247b452f3fac90f9c67933cc
Opcode Fuzzy Hash: fd859e82fb3661fc4fc07427f1b206ce9d3a7cb597c56648bb1e364e078bf4e1
Instruction Fuzzy Hash: 0F21E3B59047008FCB00AF28D48591AFBF4FF89314F85899DE9888B725E3359865CFA2

Function 6CD54490 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 6CD544B2
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CD54569), ref: 6CD544CB
fwrite.MSVCRT ref: 6CD54500
abort.MSVCRT ref: 6CD54505

Strings

=, xrefs: 6CD544E5
runtime: failed to create runtime initialization wait event., xrefs: 6CD544F9

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: CreateCriticalEventInitializeSectionabortfwrite
String ID: =$runtime: failed to create runtime initialization wait event.
API String ID: 2455830200-3519180978
Opcode ID: 1f0a6b7467d21ad1adaf3d8cc8ea4ecd9ad7729f8bf49c1b15588fd259063571
Instruction ID: 82aeb23a7a0be8538f89a57cdb5d94b30e10e3aa3e2390b17346ca9febfd49dc
Opcode Fuzzy Hash: 1f0a6b7467d21ad1adaf3d8cc8ea4ecd9ad7729f8bf49c1b15588fd259063571
Instruction Fuzzy Hash: 53F0E7B15093019FEB00BF68C40936EBEF0BB45309F91885DD89987660EBB99059CFA3

Function 6CCD1020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6CCD12E0,?,?,?,?,?,?,6CCD13A3), ref: 6CCD1057
_amsg_exit.MSVCRT ref: 6CCD1085

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 0d288db1a727cff0a85ab74140f6ec2078f873c9a98c658dc9cea8e422a3ae6d
Instruction ID: 5b4ee999720b112c5c2435a23550f79686c29e019ac15224c26075b38a21ffb4
Opcode Fuzzy Hash: 0d288db1a727cff0a85ab74140f6ec2078f873c9a98c658dc9cea8e422a3ae6d
Instruction Fuzzy Hash: 0541D1B17082008BEB10AF5EC586B1AB7F1FB85324F518529D64CCBB01E735F881CBA2

Function 6CD54D3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6CD54D0D
VirtualProtect.KERNEL32 ref: 6CD54D67
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CDECA28), ref: 6CD54D74

Part of subcall function 6CD55A10: fwrite.MSVCRT ref: 6CD55A3F
Part of subcall function 6CD55A10: vfprintf.MSVCRT ref: 6CD55A5F
Part of subcall function 6CD55A10: abort.MSVCRT ref: 6CD55A64

Strings

VirtualProtect failed with code 0x%x, xrefs: 6CD54D7A
@, xrefs: 6CD54D58

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$@
API String ID: 1616349570-2953866262
Opcode ID: aea2b34f7587f300b921fb7b83badf71bbdae122998d772205084e80066b0018
Instruction ID: e4b6658707ac3615b87c6a47bc03036ce857a6684082a53ba3e39dabfd2f686f
Opcode Fuzzy Hash: aea2b34f7587f300b921fb7b83badf71bbdae122998d772205084e80066b0018
Instruction Fuzzy Hash: DB2138B6905305DFDB00DF28D48465AFBF0BF89318F948A29D89887724E330E529CF62

Function 6CD54310 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6CD54314
FormatMessageA.KERNEL32 ref: 6CD54359
fprintf.MSVCRT ref: 6CD54382
LocalFree.KERNEL32 ref: 6CD5438E

Strings

Erro: %s, xrefs: 6CD54373

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessagefprintf
String ID: Erro: %s
API String ID: 659079672-2412703935
Opcode ID: c2be5d63f80ca6081c708957bb42359bf8d5b37fb6e3c95bcce3b61f8241c74b
Instruction ID: fc8b05462ec95f3e56c5e95bf69d7ae9ba709337ef0eac20520a59aefa8f4b37
Opcode Fuzzy Hash: c2be5d63f80ca6081c708957bb42359bf8d5b37fb6e3c95bcce3b61f8241c74b
Instruction Fuzzy Hash: 95014DB1509305DFEB00AF68C18931EBFF4AB88349F41891DE8989A364E7799158CF97

Function 6CD534E0 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

bsearch.MSVCRT ref: 6CD5353F
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CD543CF), ref: 6CD5357A
malloc.MSVCRT ref: 6CD535A8
qsort.MSVCRT ref: 6CD535F6

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: ErrorLastbsearchmallocqsort
String ID:
API String ID: 1451747280-0
Opcode ID: eccaaa2c01905a34f425209aa055237ab7f088600970dd64871c2902dbef395f
Instruction ID: 3b66f2a1dfef4dd5fa52546651be6345be376580171116e1dcaa9bacda9b0c06
Opcode Fuzzy Hash: eccaaa2c01905a34f425209aa055237ab7f088600970dd64871c2902dbef395f
Instruction Fuzzy Hash: 98413B75A083018FDB10DF69C48062ABBF1FF84354F95892DE88987724E774E868CB92

Function 6CD54030 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 6CD540D5
SetLastError.KERNEL32 ref: 6CD540F7
SetLastError.KERNEL32 ref: 6CD5410B

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: ErrorLast$LocaleThread
String ID:
API String ID: 2451566642-0
Opcode ID: 068c1274564739db14b9e3177fb177ee5e188fc2b53cf9bb8b01b077deb9fae4
Instruction ID: 96d5304068a2863b6b361c22ae4ab8eee9d04720428ed65c7321f1ff5a8e7707
Opcode Fuzzy Hash: 068c1274564739db14b9e3177fb177ee5e188fc2b53cf9bb8b01b077deb9fae4
Instruction Fuzzy Hash: 1F21A770605204CBDB009B39C944657B7F5AF85318F648A28E9A9CB3A0DB35F876CB53

Function 6CD558B0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6CD558C9
_unlock.MSVCRT ref: 6CD558F1
calloc.MSVCRT ref: 6CD5593F

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
Instruction ID: 9863899a42f65f0800ce15c206419dd7bb756ada8fdb71db4ab81f59e0e2555d
Opcode Fuzzy Hash: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
Instruction Fuzzy Hash: 51114FB4505201CBDF019F28C48075ABBE4FF45364F948669D4A8CB7A5FB38E854CB62

Function 6CD54A30 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 6CD54A69
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CCD13B9), ref: 6CD54A7A
GetCurrentThreadId.KERNEL32 ref: 6CD54A82
GetTickCount.KERNEL32 ref: 6CD54A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CCD13B9), ref: 6CD54A99

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: c6c14971cb0b4e5e3c7cb405e9591e792eb1317a4d9815ea066397419d274a7a
Instruction ID: ca93d81bdd41655e2b33e84be0b244e4a28f4b93edebe052a5262107b51f2bfb
Opcode Fuzzy Hash: c6c14971cb0b4e5e3c7cb405e9591e792eb1317a4d9815ea066397419d274a7a
Instruction Fuzzy Hash: FA118FB66053048BCB10EF79E88855BBBF4FB89258F400839E548C7310EA34D4588B92

Function 6CD545C0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 6CD545F0
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CD52DB9), ref: 6CD545FC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CD52DB9), ref: 6CD5460E
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CD52DB9), ref: 6CD5461E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CD52DB9), ref: 6CD54630

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ObjectSingleWait
String ID:
API String ID: 1755037574-0
Opcode ID: 295d8d2c530121d858de779e1c10cce7a787f724cc4d7ac113e604616238707d
Instruction ID: f31cc6879ed1ec3c45f70bf5be242908145902fd632e54afbdead7c3e0f9e272
Opcode Fuzzy Hash: 295d8d2c530121d858de779e1c10cce7a787f724cc4d7ac113e604616238707d
Instruction Fuzzy Hash: 0E0171F26043298BDB10BF79D58691ABBF4AF42314F11052DD89847750D630F46ACBA3

Function 6CD55A10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6CD55A3F
vfprintf.MSVCRT ref: 6CD55A5F
abort.MSVCRT ref: 6CD55A64

Strings

Mingw-w64 runtime failure:, xrefs: 6CD55A38

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: abortfwritevfprintf
String ID: Mingw-w64 runtime failure:
API String ID: 3176311984-2889761391
Opcode ID: a4009c21048fcaf54abb19176b9fda439c86e722934b2264d51d6c8b6dc3f692
Instruction ID: 957a14ecde1a3691d3dac0cad13f672172e79f20c3b6c2fcf0fd985c3375c2f1
Opcode Fuzzy Hash: a4009c21048fcaf54abb19176b9fda439c86e722934b2264d51d6c8b6dc3f692
Instruction Fuzzy Hash: 04E0C2B040A3009EC701AF68C08529EFEF8BF88358F81891CD4C947B61E7789498CF63

Function 6CD54DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CCD12A5), ref: 6CD54EE9

Strings

Unknown pseudo relocation protocol version %d., xrefs: 6CD55044
Unknown pseudo relocation bit size %d., xrefs: 6CD54F79

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 06531439d0bb3cefdcadcb361445b8261d48a1a7c97c6cd11cc68af693ce0eac
Instruction ID: 0e68f38b06256f9f382b1ef677dad29ddd6abfda776946000fdc5a0f77e9e2bc
Opcode Fuzzy Hash: 06531439d0bb3cefdcadcb361445b8261d48a1a7c97c6cd11cc68af693ce0eac
Instruction Fuzzy Hash: 0161CF72B042159BCF14DF6DC4C0699BBF5BB89318F948269D8199BB20D331F876CB92

Function 6CD543A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6CD54408

Part of subcall function 6CD534E0: bsearch.MSVCRT ref: 6CD5353F

fprintf.MSVCRT ref: 6CD5443C

Strings

$, xrefs: 6CD543ED

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: bsearchfprintffwrite
String ID: $
API String ID: 1110293247-3993045852
Opcode ID: 58bf40d7a9bc42aa8750854726835c66e408ec5a0dcd46b8c59f650e583bec5b
Instruction ID: 9b899b17e837f2b93253d414d24e50dc6f4d9aab048fe2272b85ce1f08ab1814
Opcode Fuzzy Hash: 58bf40d7a9bc42aa8750854726835c66e408ec5a0dcd46b8c59f650e583bec5b
Instruction Fuzzy Hash: 110117B5449310DFEB00AF28944925EFBE4AB48358F41882EE8C987720E3758464CB63

Function 6CD53630 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

free.MSVCRT ref: 6CD53652
free.MSVCRT ref: 6CD53692
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,6CD53BBA), ref: 6CD536BB
HeapFree.KERNEL32 ref: 6CD536D0

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: Heapfree$FreeProcess
String ID:
API String ID: 3425746932-0
Opcode ID: 7cfbb8c42aab637168ce88be1e7b11216ce97b07f68871891dcfa73305c6ddab
Instruction ID: da58e75c577a1a1f3e4642504bcf0ac8c66137dff46cd34f00f2ebc70d4a8f26
Opcode Fuzzy Hash: 7cfbb8c42aab637168ce88be1e7b11216ce97b07f68871891dcfa73305c6ddab
Instruction Fuzzy Hash: 2721E3B5A05301CBDB00AF25C5C871ABBF0BF84718F55C96CD8898B359E734D855CB92

Function 6CD55050 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6CD5505E
TlsGetValue.KERNEL32 ref: 6CD55085
GetLastError.KERNEL32 ref: 6CD5508C
LeaveCriticalSection.KERNEL32 ref: 6CD550AC

Memory Dump Source

Source File: 00000012.00000002.2551256259.000000006CCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCD0000, based on PE: true

Associated: 00000012.00000002.2551165445.000000006CCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2551831732.000000006CD56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552014331.000000006CD57000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552131097.000000006CD5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552203012.000000006CD5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552673033.000000006CDEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2552834864.000000006CDF9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553660907.000000006CE2D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553785498.000000006CE34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553885521.000000006CE35000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.2553985376.000000006CE38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6ccd0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: c45d6a929345d6b591a52c36fc765492b56d196ad21d233a0c7c8c9dfbd6f9be
Instruction ID: ed17913e7f27dd1ea6d9d5ebb2c80cd8c4f94ac809d26896ac5eb9c54aaa1741
Opcode Fuzzy Hash: c45d6a929345d6b591a52c36fc765492b56d196ad21d233a0c7c8c9dfbd6f9be
Instruction Fuzzy Hash: 0EF0AFB2A052189BDF10BF7DD48591A7BB4FB46304B560528DD498B319E631B815CBE3

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2YsKFOeUhM.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll32.exePID: 7000, Parent PID: 4088

General

Chronological Activities

Analysis Process: conhost.exePID: 7008, Parent PID: 7000

General

Chronological Activities

Analysis Process: cmd.exePID: 7052, Parent PID: 7000

General

Chronological Activities

Analysis Process: rundll32.exePID: 7060, Parent PID: 7000

Windows Analysis Report
2YsKFOeUhM.dll

Function 6D0A4790 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
sleepCOMMON

Function 6D081D40 Relevance: 1.3, APIs: 1, Instructions: 21
memoryCOMMON

Function 6D0A3710 Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 564
memoryCOMMON

Function 6D035820 Relevance: 19.8, Strings: 15, Instructions: 1007
COMMON

Function 6D048E10 Relevance: 16.9, Strings: 13, Instructions: 645
COMMON