Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HgTsDS6q1s.dll

Overview

General Information

Sample name:HgTsDS6q1s.dll
renamed because original name is a hash value
Original sample name:5a4fee8a7cbf2ca55541824b09fc67456f6b657e19ecf82927f24af4f6eb4cf4.dll
Analysis ID:1544802
MD5:df005390baec1e1326325feb280a7fbf
SHA1:a20680153e207ad1cef43d0624d4ed3d2703cb36
SHA256:5a4fee8a7cbf2ca55541824b09fc67456f6b657e19ecf82927f24af4f6eb4cf4
Tags:2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 180 cmdline: loaddll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 4852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4488 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 3704 cmdline: rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 6708 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 832 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 5700 cmdline: rundll32.exe C:\Users\user\Desktop\HgTsDS6q1s.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 6168 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 832 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7004 cmdline: rundll32.exe C:\Users\user\Desktop\HgTsDS6q1s.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4460 cmdline: rundll32.exe C:\Users\user\Desktop\HgTsDS6q1s.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2504 cmdline: rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7204 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 860 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 4176 cmdline: rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3452 cmdline: rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4996 cmdline: rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7196 cmdline: rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",SpellSpell MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7236 cmdline: rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",SpellInit MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7300 cmdline: rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",SpellFree MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7348 cmdline: rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7388 cmdline: rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7408 cmdline: rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability

Bitcoin Miner

barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC91830 3_2_6CC91830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF21830 12_2_6CF21830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF21830 16_2_6CF21830
Source: HgTsDS6q1s.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: HgTsDS6q1s.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax3_2_6CC62CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax3_2_6CC62CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx3_2_6CC7CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh3_2_6CC89030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh3_2_6CC8A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax12_2_6CEF2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax12_2_6CEF2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx12_2_6CF0CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh12_2_6CF19030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh12_2_6CF1A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax16_2_6CEF2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax16_2_6CEF2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx16_2_6CF0CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh16_2_6CF19030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh16_2_6CF1A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC92A90 NtCreateWaitCompletionPacket,3_2_6CC92A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC91A70 NtCreateWaitCompletionPacket,3_2_6CC91A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC91570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,3_2_6CC91570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC911F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,3_2_6CC911F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF22A90 NtCreateWaitCompletionPacket,12_2_6CF22A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF21A70 NtCreateWaitCompletionPacket,12_2_6CF21A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF21570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,12_2_6CF21570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF211F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,12_2_6CF211F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF22A90 NtCreateWaitCompletionPacket,16_2_6CF22A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF21A70 NtCreateWaitCompletionPacket,16_2_6CF21A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF21570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,16_2_6CF21570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF211F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,16_2_6CF211F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC62CA63_2_6CC62CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC62CA03_2_6CC62CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCBBD403_2_6CCBBD40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC8AD503_2_6CC8AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC6BE903_2_6CC6BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCB5FF03_2_6CCB5FF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC9CF903_2_6CC9CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCBD8003_2_6CCBD800
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC8D9C53_2_6CC8D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC759F03_2_6CC759F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCCA9923_2_6CCCA992
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC70AF03_2_6CC70AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC8CA303_2_6CC8CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC6FBC03_2_6CC6FBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC8BB103_2_6CC8BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCF7B103_2_6CCF7B10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCC344F3_2_6CCC344F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC814403_2_6CC81440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCA64703_2_6CCA6470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC834003_2_6CC83400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC8C6D03_2_6CC8C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCB86903_2_6CCB8690
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC866303_2_6CC86630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC690F03_2_6CC690F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC8C0803_2_6CC8C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC780A03_2_6CC780A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC8D0403_2_6CC8D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC960103_2_6CC96010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC8B2D03_2_6CC8B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC632A03_2_6CC632A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC9E2403_2_6CC9E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC893F03_2_6CC893F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCC73A03_2_6CCC73A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC9A3203_2_6CC9A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CEF2CA612_2_6CEF2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CEF2CA012_2_6CEF2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF1AD5012_2_6CF1AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF4BD4012_2_6CF4BD40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CEFBE9012_2_6CEFBE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF45FF012_2_6CF45FF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF2CF9012_2_6CF2CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF4D80012_2_6CF4D800
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF059F012_2_6CF059F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF1D9C512_2_6CF1D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF5A99212_2_6CF5A992
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF00AF012_2_6CF00AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF1CA3012_2_6CF1CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CEFFBC012_2_6CEFFBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF1BB1012_2_6CF1BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF87B1012_2_6CF87B10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF3647012_2_6CF36470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF1144012_2_6CF11440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF5344F12_2_6CF5344F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF1340012_2_6CF13400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF1C6D012_2_6CF1C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF4869012_2_6CF48690
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF1663012_2_6CF16630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CEF90F012_2_6CEF90F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF080A012_2_6CF080A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF1C08012_2_6CF1C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF1D04012_2_6CF1D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF2601012_2_6CF26010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF1B2D012_2_6CF1B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CEF32A012_2_6CEF32A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF2E24012_2_6CF2E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF193F012_2_6CF193F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF573A012_2_6CF573A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CF2A32012_2_6CF2A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CEF2CA616_2_6CEF2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CEF2CA016_2_6CEF2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF1AD5016_2_6CF1AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF4BD4016_2_6CF4BD40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CEFBE9016_2_6CEFBE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF45FF016_2_6CF45FF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF2CF9016_2_6CF2CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF4D80016_2_6CF4D800
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF059F016_2_6CF059F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF1D9C516_2_6CF1D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF5A99216_2_6CF5A992
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF00AF016_2_6CF00AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF1CA3016_2_6CF1CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CEFFBC016_2_6CEFFBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF1BB1016_2_6CF1BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF87B1016_2_6CF87B10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF3647016_2_6CF36470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF1144016_2_6CF11440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF5344F16_2_6CF5344F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF1340016_2_6CF13400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF1C6D016_2_6CF1C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF4869016_2_6CF48690
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF1663016_2_6CF16630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CEF90F016_2_6CEF90F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF080A016_2_6CF080A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF1C08016_2_6CF1C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF1D04016_2_6CF1D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF2601016_2_6CF26010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF1B2D016_2_6CF1B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CEF32A016_2_6CEF32A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF2E24016_2_6CF2E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF193F016_2_6CF193F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF573A016_2_6CF573A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_6CF2A32016_2_6CF2A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CF56BB0 appears 926 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CC97410 appears 680 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CF27410 appears 1360 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CF25080 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CCC6BB0 appears 463 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CF23B30 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 832
Source: HgTsDS6q1s.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engineClassification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4852:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\eb425c55-bb23-4c6f-ac57-ab04e2211be9Jump to behavior
Source: HgTsDS6q1s.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HgTsDS6q1s.dll,BarCreate
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exeString found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exeString found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exeString found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HgTsDS6q1s.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 832
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 832
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HgTsDS6q1s.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HgTsDS6q1s.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",SpellSpell
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 860
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HgTsDS6q1s.dll,BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HgTsDS6q1s.dll,BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HgTsDS6q1s.dll,BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",_cgo_dummy_exportJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",SpellSpellJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",SpellInitJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",SpellFreeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",SignalInitializeCrashReportingJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",GetInstallDetailsPayloadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",BarRecognizeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: HgTsDS6q1s.dllStatic PE information: Image base 0x6d8c0000 > 0x60000000
Source: HgTsDS6q1s.dllStatic file information: File size 1397248 > 1048576
Source: HgTsDS6q1s.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC613E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,3_2_6CC613E0
Source: HgTsDS6q1s.dllStatic PE information: real checksum: 0x15dee1 should be: 0x15a519
Source: HgTsDS6q1s.dllStatic PE information: section name: .eh_fram
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0103D810 push esi; iretd 0_2_0103D811
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0103C91D push ecx; iretd 0_2_0103C938
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0103C861 push eax; iretd 0_2_0103C873
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_049023B6 push 00000075h; retf 4_2_049023B9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0443DCCC pushad ; retf 10_2_0443DCCD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0443C891 push cs; ret 10_2_0443C89B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0443C8E6 push es; retf 10_2_0443C8FF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04480376 push esp; ret 10_2_04480377
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0503AF38 push eax; retf 11_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0483C917 push FFFFFF97h; iretd 14_2_0483C935
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0483AF34 push eax; retf 14_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0483D79E pushfd ; retf 14_2_0483D7A1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_050803C2 push eax; iretd 17_2_050803C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_051028F1 push cs; retf 17_2_051028F2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_04C3AF63 push eax; retf 20_2_04C3AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_04C3D0B6 push ecx; retf 20_2_04C3D279
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_04C3AF34 push eax; retf 20_2_04C3AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_04C3D83B push ebx; iretd 20_2_04C3D83F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0483D287 push edx; iretd 21_2_0483D2B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0483AF34 push eax; retf 21_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0483D259 push edx; iretd 21_2_0483D2B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_04C3AF34 push eax; retf 22_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_0503AF34 push eax; retf 23_2_0503AF39
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCCC1E0 rdtscp 3_2_6CCCC1E0
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 0.8 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 0.8 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 0.8 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCCC1E0 rdtscp 3_2_6CCCC1E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC613E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,3_2_6CC613E0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC91C90 RtlGetVersion,RtlGetCurrentPeb,3_2_6CC91C90

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		1
Rundll32		OS Credential Dumping2
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Virtualization/Sandbox Evasion		LSASS Memory11
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544802 Sample: HgTsDS6q1s.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->29 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
HgTsDS6q1s.dll5%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1544802
Start date and time:2024-10-29 19:04:17 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 25s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:28
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:HgTsDS6q1s.dll
renamed because original name is a hash value
Original Sample Name:5a4fee8a7cbf2ca55541824b09fc67456f6b657e19ecf82927f24af4f6eb4cf4.dll
Detection:MAL
Classification:mal48.mine.winDLL@35/0@0/0
EGA Information:
  • Successful, ratio: 20%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .dll

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target loaddll32.exe, PID 180 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 3452 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 3704 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 4176 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 4460 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7004 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7196 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7236 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7300 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7348 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7388 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7408 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • VT rate limit hit for: HgTsDS6q1s.dll

Simulations

Behavior and APIs

TimeTypeDescription
14:05:17API Interceptor1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):6.28982075529341
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:HgTsDS6q1s.dll
File size:1'397'248 bytes
MD5:df005390baec1e1326325feb280a7fbf
SHA1:a20680153e207ad1cef43d0624d4ed3d2703cb36
SHA256:5a4fee8a7cbf2ca55541824b09fc67456f6b657e19ecf82927f24af4f6eb4cf4
SHA512:99939890229696afc4a81d59c0affe541109d6f905516ae03cf78c1e83c35d303a99dd214cabf84f4b4012bc775d123432c329f56704431d5a30a641d5616002
SSDEEP:24576:5PaAKExnfLGRC1BpTKRh1RMK7cvPw0BPWFHk20OnHOQc:5C5YtAP5MP
TLSH:C5553A00FDC744F1E403263285A7A2AF6325AD094F31DBD7FB48BA79F6732950936296
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...*.....N...N.................m......................................@... ...................... ..-..

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x6d8c1390
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x6d8c0000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:0x6d95b710, 0x6d95b6c0
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:fc4278e40a172f1e8b037cb3d2809e66

Entrypoint Preview

Instruction
sub esp, 0Ch
mov dword ptr [6DA31D9Ch], 00000000h
mov ecx, dword ptr [esp+18h]
mov edx, dword ptr [esp+14h]
mov eax, dword ptr [esp+10h]
call 00007FE51892FBB7h
add esp, 0Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 6DA0D000h
mov dword ptr [esp+04h], eax
call 00007FE5189CB14Eh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 6D964000h
call dword ptr [6DA33224h]
sub esp, 04h
test eax, eax
je 00007FE51892FDD5h
mov ebx, eax
mov dword ptr [esp], 6D964000h
call dword ptr [6DA3326Ch]
mov edi, dword ptr [6DA33230h]
sub esp, 04h
mov dword ptr [6DA0D010h], eax
mov dword ptr [esp+04h], 6D964013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 6D964029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [6D95D004h], eax
test esi, esi
je 00007FE51892FD73h
mov dword ptr [esp+04h], 6DA0D014h
mov dword ptr [esp], 6DA0B124h
call esi
mov dword ptr [eax+eax], 00000000h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x1720000x12d.edata
IMAGE_DIRECTORY_ENTRY_IMPORT0x1730000xbb0.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1760000x882c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x14a4640x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x1731dc0x1a0.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x9be780x9c000601b256d81a51369abfa148fd99e0d18False0.4732196514423077data6.303340762217383IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x9d0000x67ec0x6800b29df1be0bedd70a2b1bf4cc8f140023False0.42123647836538464dBase III DBT, version number 0, next free block index 1, 1st item ""4.459760038436202IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0xa40000xa68ec0xa6a0064990fdec4844afe398b159e50c0786cFalse0.4316420902100525data5.601224660452233IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram0x14b0000x1e940x2000b3586cda6a9f1266d88c9bd57736d705False0.3330078125data4.772055814218093IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss0x14d0000x24df00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata0x1720000x12d0x200c87fc8f8787817a98c6f2502635f9f1eFalse0.462890625data3.4271057556060756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata0x1730000xbb00xc00f9325c52db82893fba8d59d311b3a681False0.408203125data5.213100684276811IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT0x1740000x2c0x20039d753f3f872fc69a1bf3c2eedf6fbbdFalse0.056640625data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0x1750000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x1760000x882c0x8a006f42dc580f5058dc58b01099df09f74bFalse0.6620244565217391data6.6268307022194985IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllAddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetLastError, GetModuleHandleA, GetModuleHandleW, GetNativeSystemInfo, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetThreadContext, GetThreadLocale, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, PostQueuedCompletionStatus, RaiseFailFastException, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, lstrlenA
msvcrt.dll__mb_cur_max, _amsg_exit, _beginthread, _errno, _initterm, _iob, _lock, _unlock, _wcsnicmp, abort, atoi, bsearch, calloc, fputc, free, fwrite, localeconv, malloc, mbstowcs, memcpy, memset, qsort, realloc, setlocale, strchr, strcmp, strerror, strlen, strncmp, strtol, vfprintf, wcslen, wcstombs

Exports

NameOrdinalAddress
BarCreate10x6d9546f0
BarDestroy20x6d954970
BarFreeRec30x6d954920
BarRecognize40x6d9548d0
GetInstallDetailsPayload50x6d954830
SignalInitializeCrashReporting60x6d954880
SpellFree70x6d954740
SpellInit80x6d954790
SpellSpell90x6d9547e0
_cgo_dummy_export100x6da313a8

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:14:05:08
Start date:29/10/2024
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll"
Imagebase:0x7d0000
File size:126'464 bytes
MD5 hash:51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:14:05:08
Start date:29/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:14:05:08
Start date:29/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",#1
Imagebase:0x240000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:14:05:08
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\HgTsDS6q1s.dll,BarCreate
Imagebase:0xb30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:14:05:08
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",#1
Imagebase:0xb30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:8
Start time:14:05:08
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 832
Imagebase:0x4f0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:14:05:08
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 832
Imagebase:0x4f0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:10
Start time:14:05:11
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\HgTsDS6q1s.dll,BarDestroy
Imagebase:0xb30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:11
Start time:14:05:14
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\HgTsDS6q1s.dll,BarFreeRec
Imagebase:0xb30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:12
Start time:14:05:17
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",BarCreate
Imagebase:0xb30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:13
Start time:14:05:17
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",BarDestroy
Imagebase:0xb30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:14
Start time:14:05:17
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",BarFreeRec
Imagebase:0xb30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:16
Start time:14:05:17
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",_cgo_dummy_export
Imagebase:0xb30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:17
Start time:14:05:17
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",SpellSpell
Imagebase:0xb30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:18
Start time:14:05:17
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 860
Imagebase:0x4f0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:19
Start time:14:05:17
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",SpellInit
Imagebase:0xb30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:20
Start time:14:05:17
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",SpellFree
Imagebase:0xb30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:21
Start time:14:05:17
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",SignalInitializeCrashReporting
Imagebase:0xb30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:22
Start time:14:05:17
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",GetInstallDetailsPayload
Imagebase:0xb30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:23
Start time:14:05:17
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HgTsDS6q1s.dll",BarRecognize
Imagebase:0xb30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:3
    Total number of Limit Nodes:0
    execution_graph 43250 6ccccfc0 43251 6ccccfe8 WriteFile 43250->43251 43252 6ccccfd9 43250->43252 43252->43251

    Executed Functions

    Function 6CCCCFC0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 6ccccfc0-6ccccfd7 1 6ccccfe8-6cccd000 WriteFile 0->1 2 6ccccfd9-6ccccfe6 0->2 2->1
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: 7d5ffdac974860e3f2d2cec0b697d261912466121ec73e41989a88220a197999
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: E1E0E571505600CFCB15DF18C2C170ABBE1EB48A00F0485A8DE098FB4AE734ED10CB92

    Non-executed Functions

    Function 6CC759F0 Relevance: 18.5, Strings: 14, Instructions: 1019COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 870 6cc759f0-6cc75a05 871 6cc76c61-6cc76c66 call 6cccaf70 870->871 872 6cc75a0b-6cc75a31 call 6ccd0aa0 870->872 871->870 877 6cc75a33-6cc75a38 872->877 878 6cc75a3a-6cc75a3d 872->878 879 6cc75a40-6cc75aa7 call 6ccd0ad0 call 6cccd110 877->879 878->879 884 6cc75ab3-6cc75b83 call 6cc99e30 call 6cccae80 * 2 call 6cc99a20 879->884 885 6cc75aa9-6cc75ab1 call 6cccc380 879->885 896 6cc75b85-6cc75b89 884->896 897 6cc75b8b-6cc75b93 call 6ccb9cc0 884->897 885->884 898 6cc75b97-6cc75b99 896->898 897->898 901 6cc75bcf-6cc75be5 898->901 902 6cc75b9b-6cc75bca call 6ccba260 call 6ccb9df0 898->902 904 6cc75be7-6cc75bef call 6cccc380 901->904 905 6cc75bf1-6cc75c00 901->905 902->901 904->905 907 6cc75c06-6cc75f1c call 6ccd0ad0 call 6cccae80 call 6cccd110 call 6cccd170 call 6ccd0af0 * 2 call 6cc8fc30 call 6ccbf930 * 2 call 6ccd0910 * 3 905->907 908 6cc76c4a-6cc76c60 call 6ccc6bb0 905->908 938 6cc75f24-6cc75fc2 call 6cc6a4e0 call 6cc9ed60 call 6cc6a700 call 6cc81f00 call 6cc785c0 call 6cc8ce30 call 6cc829f0 907->938 939 6cc75f1e 907->939 908->871 954 6cc75fc4-6cc75fc6 938->954 955 6cc75fd0-6cc75fd2 938->955 939->938 956 6cc76c34-6cc76c45 call 6ccc6bb0 954->956 957 6cc75fcc-6cc75fce 954->957 958 6cc76c1e-6cc76c2f call 6ccc6bb0 955->958 959 6cc75fd8-6cc76095 call 6cccc596 call 6cccca6a call 6cccae80 call 6cc8d3f0 call 6cc85470 call 6cccae80 * 2 955->959 956->908 957->955 957->959 958->956 976 6cc76097-6cc760af call 6cc82a70 959->976 977 6cc760b4-6cc760bc 959->977 976->977 978 6cc760c2-6cc76130 call 6cccc59a call 6cc96bb0 call 6ccbfb70 977->978 979 6cc76abf-6cc76b05 call 6cc6a4e0 977->979 996 6cc76140-6cc7615e 978->996 985 6cc76b07-6cc76b12 call 6cccc380 979->985 986 6cc76b14-6cc76b30 call 6cc6a700 979->986 985->986 995 6cc76b55-6cc76b5e 986->995 997 6cc76b32-6cc76b54 call 6cc643c0 995->997 998 6cc76b60-6cc76b8b call 6cc7ed90 995->998 1000 6cc76160-6cc76163 996->1000 1001 6cc76169-6cc761ec 996->1001 997->995 1013 6cc76b8d-6cc76b96 call 6cccae80 998->1013 1014 6cc76b9b-6cc76bf2 call 6cca8b70 * 2 998->1014 1000->1001 1004 6cc76216-6cc7621c 1000->1004 1005 6cc76c14-6cc76c19 call 6cccc400 1001->1005 1006 6cc761f2-6cc761fc 1001->1006 1008 6cc76222-6cc763bc call 6ccc7ff0 call 6cc96bb0 call 6cc97410 call 6cc97100 call 6cc97410 * 3 call 6cc97230 call 6cc97410 call 6cc96c10 call 6cccc59a 1004->1008 1009 6cc76c0a-6cc76c0f call 6cccc400 1004->1009 1005->958 1011 6cc7620f-6cc76211 1006->1011 1012 6cc761fe-6cc7620a 1006->1012 1047 6cc7645e-6cc76461 1008->1047 1009->1005 1019 6cc76132-6cc7613e 1011->1019 1012->1019 1013->1014 1027 6cc76bf4-6cc76bfa 1014->1027 1028 6cc76c03-6cc76c09 1014->1028 1019->996 1027->1028 1030 6cc76bfc 1027->1030 1030->1028 1048 6cc764e7-6cc76690 call 6cc96bb0 call 6cc97410 call 6cc96c10 call 6ccd0950 * 4 call 6cccc596 1047->1048 1049 6cc76467-6cc76484 1047->1049 1084 6cc76717-6cc7671a 1048->1084 1050 6cc763c1-6cc76457 call 6cc780a0 call 6ccc7ff0 call 6cc96bb0 call 6cc97410 call 6cc96c10 1049->1050 1051 6cc7648a-6cc764e2 call 6cc96bb0 call 6cc97410 call 6cc96c10 1049->1051 1050->1047 1051->1050 1085 6cc767c0-6cc76a5a call 6ccd0ad0 * 2 call 6cc96bb0 call 6cc97410 call 6cc97100 call 6cc97410 call 6cc97100 call 6cc97410 call 6cc97100 call 6cc97410 call 6cc97100 call 6cc97410 call 6cc97100 call 6cc97410 call 6cc97100 call 6cc97410 call 6cc97230 call 6cc97410 call 6cc96c10 1084->1085 1086 6cc76720-6cc76744 1084->1086 1152 6cc76a7c-6cc76aad call 6cc96bb0 call 6cc96db0 call 6cc96c10 1085->1152 1153 6cc76a5c-6cc76a77 call 6cc96bb0 call 6cc97410 call 6cc96c10 1085->1153 1087 6cc76746-6cc76749 1086->1087 1088 6cc7674b-6cc76779 call 6cc96bb0 call 6cc97410 call 6cc96c10 1086->1088 1087->1088 1090 6cc7677e-6cc76780 1087->1090 1094 6cc76695-6cc76716 call 6cc780a0 call 6ccc7ff0 call 6cc96bb0 call 6cc97410 call 6cc96c10 1088->1094 1093 6cc76786-6cc767bb call 6cc96bb0 call 6cc97410 call 6cc96c10 1090->1093 1090->1094 1093->1094 1094->1084 1152->979 1165 6cc76aaf-6cc76aba call 6cc6a700 1152->1165 1153->1152 1165->979
    Strings
    • ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid, xrefs: 6CC768DC
    • , xrefs: 6CC7606A
    • failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 6CC76C34
    • non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo, xrefs: 6CC76C1E
    • gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma, xrefs: 6CC7629A
    • 5, xrefs: 6CC76C27
    • ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE, xrefs: 6CC764EC
    • MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 6CC76A06
    • +:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08, xrefs: 6CC764A4, 6CC7678B
    • gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6CC76C4A
    • @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12, xrefs: 6CC762C7
    • ., xrefs: 6CC761FE
    • gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= , xrefs: 6CC75ABA
    • MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=, xrefs: 6CC7699C
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=$ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid$+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08$.$5$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= $non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo
    • API String ID: 0-2575422049
    • Opcode ID: 6a1701c41457df6548d708151a9d0d22f9c0b69b9a60d91fa2e5e5d0b260c50e
    • Instruction ID: 0f68b52cec0980046490ea013d5f027f3e99a61777481b8f3736351234031f25
    • Opcode Fuzzy Hash: 6a1701c41457df6548d708151a9d0d22f9c0b69b9a60d91fa2e5e5d0b260c50e
    • Instruction Fuzzy Hash: 7DB217746097418FD724DF68C190B9EBBF8FB89304F01892ED98987750EB34A949DF92
    Function 6CC893F0 Relevance: 16.9, Strings: 13, Instructions: 643COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1268 6cc893f0-6cc89402 1269 6cc89408-6cc89450 1268->1269 1270 6cc89f94-6cc89f99 call 6cccaf70 1268->1270 1272 6cc89476-6cc8947d 1269->1272 1270->1268 1274 6cc8957b-6cc89581 1272->1274 1275 6cc89483-6cc894ed 1272->1275 1278 6cc897f9-6cc89800 call 6cccc410 1274->1278 1279 6cc89587-6cc895b3 call 6cc8c5d0 1274->1279 1276 6cc89f8c-6cc89f93 call 6cccc440 1275->1276 1277 6cc894f3-6cc894f5 1275->1277 1276->1270 1283 6cc894fb-6cc89545 1277->1283 1284 6cc89f85-6cc89f87 call 6cccc460 1277->1284 1287 6cc89805-6cc8980c 1278->1287 1291 6cc89621-6cc89631 1279->1291 1292 6cc895b5-6cc89620 call 6cc89360 1279->1292 1288 6cc89552-6cc89556 1283->1288 1289 6cc89547-6cc89550 1283->1289 1284->1276 1293 6cc89810-6cc89812 1287->1293 1294 6cc89558-6cc89576 1288->1294 1289->1294 1295 6cc897f4 call 6cccc400 1291->1295 1296 6cc89637-6cc89648 1291->1296 1297 6cc89818 1293->1297 1298 6cc899fd 1293->1298 1294->1293 1295->1278 1302 6cc8964e-6cc89653 1296->1302 1303 6cc897e1-6cc897e9 1296->1303 1304 6cc89f7e-6cc89f80 call 6cccc400 1297->1304 1305 6cc8981e-6cc8984c 1297->1305 1301 6cc89a01-6cc89a0a 1298->1301 1307 6cc89a10-6cc89a16 1301->1307 1308 6cc89d72-6cc89de0 call 6cc89360 1301->1308 1309 6cc89659-6cc89666 1302->1309 1310 6cc897c6-6cc897d6 1302->1310 1303->1295 1304->1284 1312 6cc8984e-6cc89854 1305->1312 1313 6cc89856-6cc898af 1305->1313 1315 6cc89a1c-6cc89a26 1307->1315 1316 6cc89d53-6cc89d71 1307->1316 1329 6cc89ee5-6cc89eeb 1308->1329 1317 6cc897b8-6cc897c1 1309->1317 1318 6cc8966c-6cc897b3 call 6cc96bb0 call 6cc97410 call 6cc97230 call 6cc97410 call 6cc97230 call 6cc97410 call 6cc97100 call 6cc97410 call 6cc97100 call 6cc97410 call 6cc97100 call 6cc97410 call 6cc96c10 call 6cc96bb0 call 6cc97410 call 6cc97100 call 6cc96db0 call 6cc96c10 call 6ccc6bb0 1309->1318 1310->1303 1312->1287 1325 6cc898bf-6cc898c8 1313->1325 1326 6cc898b1-6cc898bd 1313->1326 1321 6cc89a28-6cc89a3f 1315->1321 1322 6cc89a41-6cc89a55 1315->1322 1318->1317 1327 6cc89a5c 1321->1327 1322->1327 1330 6cc898ce-6cc898e0 1325->1330 1326->1330 1333 6cc89a5e-6cc89a6f 1327->1333 1334 6cc89a71-6cc89a91 1327->1334 1331 6cc89f68-6cc89f79 call 6ccc6bb0 1329->1331 1332 6cc89eed-6cc89f02 1329->1332 1336 6cc899c8-6cc899ca 1330->1336 1337 6cc898e6-6cc898eb 1330->1337 1331->1304 1338 6cc89f0b-6cc89f1d 1332->1338 1339 6cc89f04-6cc89f09 1332->1339 1341 6cc89a98 1333->1341 1334->1341 1346 6cc899cc-6cc899e0 1336->1346 1347 6cc899e2 1336->1347 1349 6cc898ed-6cc898f2 1337->1349 1350 6cc898f4-6cc89908 1337->1350 1348 6cc89f1f 1338->1348 1339->1348 1343 6cc89a9a-6cc89a9f 1341->1343 1344 6cc89aa1-6cc89aa4 1341->1344 1351 6cc89aaa-6cc89d4e call 6cc96bb0 call 6cc97410 call 6cc97230 call 6cc97410 call 6cc97230 call 6cc97410 call 6cc97100 call 6cc97410 call 6cc97100 call 6cc97410 call 6cc97100 call 6cc96db0 call 6cc96c10 call 6cc96bb0 call 6cc97410 call 6cc97230 call 6cc97410 call 6cc97100 call 6cc97410 call 6cc97230 call 6cc96db0 call 6cc96c10 call 6cc96bb0 call 6cc97410 call 6cc972a0 call 6cc97410 call 6cc97230 call 6cc96db0 call 6cc96c10 call 6cc96bb0 call 6cc97410 call 6cc97100 call 6cc97410 call 6cc97100 call 6cc96db0 call 6cc96c10 1343->1351 1344->1351 1353 6cc899e6-6cc899fb 1346->1353 1347->1353 1354 6cc89f28-6cc89f40 1348->1354 1355 6cc89f21-6cc89f26 1348->1355 1356 6cc8990f-6cc89911 1349->1356 1350->1356 1351->1329 1353->1301 1359 6cc89f42-6cc89f4e 1354->1359 1355->1359 1360 6cc89452-6cc8946f 1356->1360 1361 6cc89917-6cc89919 1356->1361 1364 6cc89f5a-6cc89f5d 1359->1364 1365 6cc89f50-6cc89f55 1359->1365 1360->1272 1366 6cc8991b-6cc89920 1361->1366 1367 6cc89922-6cc8993d 1361->1367 1364->1331 1370 6cc8994b 1366->1370 1371 6cc8993f-6cc89944 1367->1371 1372 6cc899a7-6cc899c3 1367->1372 1375 6cc8994d-6cc8995c 1370->1375 1376 6cc8995e-6cc8996d 1370->1376 1371->1370 1372->1287 1377 6cc89970-6cc899a2 1375->1377 1376->1377 1377->1287
    Strings
    • runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer, xrefs: 6CC8976B
    • runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6CC89CE8
    • , i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc, xrefs: 6CC89C88
    • ] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt, xrefs: 6CC89B1A
    • runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6CC8967A, 6CC89AB3
    • , npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar, xrefs: 6CC89BD7
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CC897A2, 6CC89F68
    • ][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C, xrefs: 6CC896A4, 6CC89AED
    • ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc, xrefs: 6CC896CD
    • , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST, xrefs: 6CC896F7, 6CC89721, 6CC89B44, 6CC89B6E
    • , levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:, xrefs: 6CC89D15
    • runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard , xrefs: 6CC89C5B
    • , j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu, xrefs: 6CC89C04
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu$, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:$, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar$] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt$] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc$][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-566501290
    • Opcode ID: ff0357f96504ffd77796abbf3e6546604cc0f763472ff410ba237ff2fda51035
    • Instruction ID: 4b4589568c5a2b94b775bc29cd81ae37553c7495c99a92caab88e660ef961e57
    • Opcode Fuzzy Hash: ff0357f96504ffd77796abbf3e6546604cc0f763472ff410ba237ff2fda51035
    • Instruction Fuzzy Hash: A6526A7560A7048FD320DF68C48079EBBF5FF89308F11892DE99887B40E774A949DB92
    Function 6CC91570 Relevance: 16.4, Strings: 13, Instructions: 150COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1473 6cc91570-6cc9157e 1474 6cc9181e-6cc91823 call 6cccaf70 1473->1474 1475 6cc91584-6cc915b6 call 6cc932a0 1473->1475 1474->1473 1480 6cc915bc-6cc915ea call 6cc91470 1475->1480 1481 6cc91807-6cc9181d call 6ccc6bb0 1475->1481 1486 6cc915fc-6cc91631 call 6cc932a0 1480->1486 1487 6cc915ec-6cc915f9 call 6cccc390 1480->1487 1481->1474 1492 6cc917f1-6cc91802 call 6ccc6bb0 1486->1492 1493 6cc91637-6cc91669 call 6cc91470 1486->1493 1487->1486 1492->1481 1497 6cc9167b-6cc91683 1493->1497 1498 6cc9166b-6cc91678 call 6cccc390 1493->1498 1499 6cc91689-6cc916bb call 6cc91470 1497->1499 1500 6cc9172d-6cc9175f call 6cc91470 1497->1500 1498->1497 1509 6cc916cd-6cc916d5 1499->1509 1510 6cc916bd-6cc916ca call 6cccc390 1499->1510 1507 6cc91771-6cc917a9 call 6cc91470 1500->1507 1508 6cc91761-6cc9176e call 6cccc390 1500->1508 1521 6cc917bb-6cc917c4 1507->1521 1522 6cc917ab-6cc917b8 call 6cccc390 1507->1522 1508->1507 1514 6cc917db-6cc917ec call 6ccc6bb0 1509->1514 1515 6cc916db-6cc9170d call 6cc91470 1509->1515 1510->1509 1514->1492 1525 6cc9171f-6cc91727 1515->1525 1526 6cc9170f-6cc9171c call 6cccc390 1515->1526 1522->1521 1525->1500 1529 6cc917c5-6cc917d6 call 6ccc6bb0 1525->1529 1526->1525 1529->1514
    Strings
    • , xrefs: 6CC9169A
    • RtlGetVersion, xrefs: 6CC9177E
    • NtCancelWaitCompletionPacket, xrefs: 6CC916E2
    • RtlGetCurrentPeb, xrefs: 6CC91734
    • NtAssociateWaitCompletionPacket, xrefs: 6CC91690
    • bcryptprimitives.dll, xrefs: 6CC9158D
    • , xrefs: 6CC916A2
    • P, xrefs: 6CC917E4
    • bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible , xrefs: 6CC91807
    • NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no , xrefs: 6CC917C5
    • ProcessPrng, xrefs: 6CC915BF
    • ntdll.dll, xrefs: 6CC91608
    • NtCreateWaitCompletionPacket, xrefs: 6CC9163E
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $NtAssociateWaitCompletionPacket$NtCancelWaitCompletionPacket$NtCreateWaitCompletionPacket$NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no $P$ProcessPrng$RtlGetCurrentPeb$RtlGetVersion$bcryptprimitives.dll$bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible $ntdll.dll
    • API String ID: 0-2332038095
    • Opcode ID: 42f458ab003c4f05a2671d342cb8993aabf7c6d0d7e66c2a08fcbf20f0a7fdac
    • Instruction ID: 8d95d5f0f922958ec4f315dc61c8af69ac5a0741edd65c54f57ae9d947014d01
    • Opcode Fuzzy Hash: 42f458ab003c4f05a2671d342cb8993aabf7c6d0d7e66c2a08fcbf20f0a7fdac
    • Instruction Fuzzy Hash: 4B71D9B4609702DFEB04DF69D19069ABBF8FB4A708F01882DE59987B80E774D448CF56
    Function 6CC83400 Relevance: 14.6, Strings: 11, Instructions: 876COMMON
    Download Yara Rule
    Strings
    • sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket, xrefs: 6CC83E09
    • sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket, xrefs: 6CC83CB8, 6CC8412C
    • previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 6CC83DAB
    • swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6CC83C65
    • mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CC83CE2, 6CC84156
    • mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea, xrefs: 6CC8418A
    • mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 6CC83D16
    • mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 6CC841A9
    • sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto, xrefs: 6CC83C4F
    • nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo, xrefs: 6CC83D81
    • , xrefs: 6CC83E12
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo$ previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$ sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-893999930
    • Opcode ID: 475be78a15115a328bea25958214b62aad9333ab09038e4c656431944694ea24
    • Instruction ID: d854dd061af84a6f2b1e3acd1faa283dba4d9f24b13f2c2dd55795a0b596dbc9
    • Opcode Fuzzy Hash: 475be78a15115a328bea25958214b62aad9333ab09038e4c656431944694ea24
    • Instruction Fuzzy Hash: 0882387460E7908FD350DF29C090A9ABBF1BF89708F44896DE8C887791E734D949DB92
    Function 6CC92A90 Relevance: 14.0, Strings: 11, Instructions: 253COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2157 6cc92a90-6cc92a9e 2158 6cc92f48-6cc92f4d call 6cccaf70 2157->2158 2159 6cc92aa4-6cc92afb call 6cc933e0 2157->2159 2158->2157 2164 6cc92eec-6cc92f47 call 6cccd010 call 6cc96bb0 call 6cc97410 call 6cc97100 call 6cc96db0 call 6cc96c10 call 6ccc6bb0 2159->2164 2165 6cc92b01-6cc92b80 call 6cc6a4e0 call 6cc93110 2159->2165 2164->2158 2174 6cc92bd1-6cc92bd9 2165->2174 2175 6cc92b82-6cc92b8b 2165->2175 2179 6cc92c68-6cc92ca9 call 6cc6a700 call 6cccc599 call 6cc932a0 2174->2179 2180 6cc92bdf-6cc92be8 2174->2180 2175->2174 2177 6cc92b8d-6cc92bcb call 6cc932f0 2175->2177 2177->2174 2189 6cc92e91-6cc92ee7 call 6cccd010 call 6cc96bb0 call 6cc97410 call 6cc97100 call 6cc96db0 call 6cc96c10 call 6ccc6bb0 2177->2189 2208 6cc92caf-6cc92cd1 2179->2208 2209 6cc92d84-6cc92dda call 6cccd010 call 6cc96bb0 call 6cc97410 call 6cc97100 call 6cc96db0 call 6cc96c10 call 6ccc6bb0 2179->2209 2180->2179 2183 6cc92bea-6cc92c28 call 6cc932f0 2180->2183 2196 6cc92c2e-6cc92c62 call 6cc932a0 2183->2196 2197 6cc92e36-6cc92e8c call 6cccd010 call 6cc96bb0 call 6cc97410 call 6cc97100 call 6cc96db0 call 6cc96c10 call 6ccc6bb0 2183->2197 2189->2164 2196->2179 2213 6cc92ddf-6cc92e31 call 6cc96bb0 call 6cc97410 call 6cc97100 call 6cc96db0 call 6cc96c10 call 6ccc6bb0 2196->2213 2197->2189 2214 6cc92cfa-6cc92d7f call 6cc96bb0 call 6cc97410 call 6cc972a0 call 6cc97410 call 6cc972a0 call 6cc97410 call 6cc96c10 call 6ccc6bb0 2208->2214 2215 6cc92cd3-6cc92ce0 2208->2215 2209->2213 2213->2197 2214->2209 2215->2214 2221 6cc92ce2-6cc92cf9 call 6cccc1c0 2215->2221
    Strings
    • VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec, xrefs: 6CC92DC9
    • bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi, xrefs: 6CC92D6E
    • runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte, xrefs: 6CC92E47, 6CC92EA2
    • runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr, xrefs: 6CC92DEC
    • CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet, xrefs: 6CC92E7B, 6CC92ED6
    • runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b, xrefs: 6CC92F31
    • %, xrefs: 6CC92F3A
    • NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor, xrefs: 6CC92E20
    • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi, xrefs: 6CC92EFD
    • ,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12, xrefs: 6CC92D29
    • runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 6CC92D95
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: %$,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet$NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte$runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
    • API String ID: 0-2809656213
    • Opcode ID: fa1b44a7f0ac53850aadbfd9e6714db45429e168df6ec5429001e0813550948b
    • Instruction ID: 9375fa771e8bf840668ff3a673aa17c33b1ebbea77f30d3348ab00ef27d18847
    • Opcode Fuzzy Hash: fa1b44a7f0ac53850aadbfd9e6714db45429e168df6ec5429001e0813550948b
    • Instruction Fuzzy Hash: 18C1E0B42097018FD700EF68C198B9ABBF4BF89708F00896CE59887B90E775D949DF52
    Function 6CC613E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 9b516857d0b765c2a3178bb5c4749f8b53786facb9ae5c6048a3fb279ae25598
    • Instruction ID: 278b103451d6ac9bac7b666d5593579f6b0af37631c889dd41f78eda20c926a8
    • Opcode Fuzzy Hash: 9b516857d0b765c2a3178bb5c4749f8b53786facb9ae5c6048a3fb279ae25598
    • Instruction Fuzzy Hash: F60171B2E092409BD7007FBEA64672EBEB4AB42241F01443DD98597B64E730D4048BA3
    Function 6CCC344F Relevance: 12.0, Strings: 9, Instructions: 757COMMON
    Download Yara Rule
    Strings
    • malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty, xrefs: 6CCC3E3B
    • 3-, xrefs: 6CCC3E78
    • !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 6CCC381F
    • mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 6CCC3E25
    • 2, xrefs: 6CCC3E70
    • p, xrefs: 6CCC3E7E
    • mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential, xrefs: 6CCC3E67
    • 4, xrefs: 6CCC3E2E
    • malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo, xrefs: 6CCC3E51
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$2$4$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo$malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $3-$p
    • API String ID: 0-234616912
    • Opcode ID: 741328b935f4919294aaee3cd3e74f9133bc62f5998065c885294aada5fe4135
    • Instruction ID: fe0e51e228c58b974215109b3c7595825a45bf4afcbd47b9ba68d4681d2ce4b8
    • Opcode Fuzzy Hash: 741328b935f4919294aaee3cd3e74f9133bc62f5998065c885294aada5fe4135
    • Instruction Fuzzy Hash: 1062C0747083418FC304CF29D0906AABBF5BF89718F18896DE9958B792E735D949CF82
    Function 6CCB5FF0 Relevance: 10.5, Strings: 8, Instructions: 512COMMON
    Download Yara Rule
    Strings
    • non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard , xrefs: 6CCB67E5
    • (1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID, xrefs: 6CCB6440
    • sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us, xrefs: 6CCB6686
    • fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit, xrefs: 6CCB6659
    • , xrefs: 6CCB6159
    • :(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I, xrefs: 6CCB651D
    • , xrefs: 6CCB6151
    • pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace, xrefs: 6CCB66B3
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $ fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit$ pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace$ sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us$(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID$:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I$non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard
    • API String ID: 0-3830612415
    • Opcode ID: 9489a4ec42370c5cd23c332b7940d75d2695b579da02a16b1c8b7476717e9dbd
    • Instruction ID: 9178f34aa5736748a249d322645507150e7192257ca5cb6f886549b0da539db9
    • Opcode Fuzzy Hash: 9489a4ec42370c5cd23c332b7940d75d2695b579da02a16b1c8b7476717e9dbd
    • Instruction Fuzzy Hash: 6F32D27460DB818FC364DF65C180B9FBBE1AFC9308F05896EE8C897751EB3099499B52
    Function 6CC91A70 Relevance: 8.9, Strings: 7, Instructions: 116COMMON
    Download Yara Rule
    Strings
    • timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 6CC91C0D
    • timeEndPeriod, xrefs: 6CC91B73
    • &, xrefs: 6CC91C3D
    • winmm.dll, xrefs: 6CC91AF3
    • timeBeginPeriod, xrefs: 6CC91B29
    • runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta, xrefs: 6CC91BD9
    • runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co, xrefs: 6CC91C34
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: &$runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta$runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co$timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$timeBeginPeriod$timeEndPeriod$winmm.dll
    • API String ID: 0-424793872
    • Opcode ID: aee06d54501c3f41148bdd6ca77b03b2d81032caf7bfb163e4ef072342144dd3
    • Instruction ID: 85817a76a044e28c35009f3701d0c235fab813b06a9684e8f6cb334c6b46d9c8
    • Opcode Fuzzy Hash: aee06d54501c3f41148bdd6ca77b03b2d81032caf7bfb163e4ef072342144dd3
    • Instruction Fuzzy Hash: 9D51D4B06097019FEB00DF69D19475ABBF8BB4A708F00881DE59887B80EB74D548DFA2
    Function 6CC9CF90 Relevance: 8.6, Strings: 6, Instructions: 1093COMMON
    Download Yara Rule
    Strings
    • !, xrefs: 6CC9E0DE
    • findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina, xrefs: 6CC9E0BF
    • findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a, xrefs: 6CC9E0A9
    • global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz, xrefs: 6CC9E093
    • findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi, xrefs: 6CC9E0EB
    • findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of r, xrefs: 6CC9E0D5
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz
    • API String ID: 0-3082151594
    • Opcode ID: 930de66c0a55df1aac7e6db95dc7ba2658cf487ac2782b02c4b52f7b5e44673e
    • Instruction ID: d42f6bdc5faed3adacde6473e83623021dd3680bee583df867d9f34294d7e680
    • Opcode Fuzzy Hash: 930de66c0a55df1aac7e6db95dc7ba2658cf487ac2782b02c4b52f7b5e44673e
    • Instruction Fuzzy Hash: 8EA2DF746093819FE714DF69C090B9EBBF4BF89748F00892DE98997790EB74D848CB52
    Function 6CC911F0 Relevance: 7.6, Strings: 6, Instructions: 133COMMON
    Download Yara Rule
    Strings
    • runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar, xrefs: 6CC91369
    • d, xrefs: 6CC91276
    • runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe, xrefs: 6CC913C4
    • 5, xrefs: 6CC91420
    • runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy, xrefs: 6CC9139D, 6CC913F8, 6CC9144B
    • runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not , xrefs: 6CC91417
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 5$d$runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar$runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not $runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe$runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy
    • API String ID: 0-2414937731
    • Opcode ID: 3e1827c6154ec8f26d37da12315471a1d94132c7088a7058647c2f5f63798376
    • Instruction ID: 3f3346045b2730ad6ec11cab41b805ff160065c2d87e2db9877ea5b2e4093815
    • Opcode Fuzzy Hash: 3e1827c6154ec8f26d37da12315471a1d94132c7088a7058647c2f5f63798376
    • Instruction Fuzzy Hash: 6B51CDB46097009FD740DF69C194B9EBBF4AF88348F00886DE99887B90E774D948DB93
    Function 6CC81440 Relevance: 5.5, Strings: 4, Instructions: 494COMMON
    Download Yara Rule
    Strings
    • !, xrefs: 6CC81A18
    • runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti, xrefs: 6CC8198C, 6CC819DB
    • min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce, xrefs: 6CC81A0F
    • min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW, xrefs: 6CC819C0
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce$min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW$runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti
    • API String ID: 0-967014423
    • Opcode ID: c45d713df75ef66758b6aabb0163fb5d90c1f5862ecfb6099252dc8257d2ef22
    • Instruction ID: 97f73c098ee0aaf303b184c68d4eb3b9d944cb438cf5f364e51d23296bde89b4
    • Opcode Fuzzy Hash: c45d713df75ef66758b6aabb0163fb5d90c1f5862ecfb6099252dc8257d2ef22
    • Instruction Fuzzy Hash: 50F1D03260A3258FD701DEA984C065FBBE2BBC4348F158A3CD9A587785FB75D849C682
    Function 6CC9A320 Relevance: 5.4, Strings: 4, Instructions: 352COMMON
    Download Yara Rule
    Strings
    • stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met, xrefs: 6CC9A7EB
    • stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a , xrefs: 6CC9A843
    • stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many, xrefs: 6CC9A7B0
    • stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl, xrefs: 6CC9A690
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met$stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a $stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many$stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl
    • API String ID: 0-2039697367
    • Opcode ID: da49c669b82901cbf025e112d5eac49f31f5c136fa1bdd4fac644ea6b35eb81b
    • Instruction ID: fdf7bbc6e20f7dc4b58c68cf9bce53ed4320de0e25e074bae1ddcfb0028a491e
    • Opcode Fuzzy Hash: da49c669b82901cbf025e112d5eac49f31f5c136fa1bdd4fac644ea6b35eb81b
    • Instruction Fuzzy Hash: 2DF1F074A093418FD308CF69C190A5AFBF1BBC9708F14896DE99887B51EB74E945CF82
    Function 6CCF7B10 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: .$@$gfff$gfff
    • API String ID: 0-2633265772
    • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
    • Instruction ID: 3a8d2ac823c2da33ad22c15e42de9395aa4e29d9fdc71102da71042ae7b6d1db
    • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
    • Instruction Fuzzy Hash: A4D1B4716087058BD780DF29C48035BBBE2AF85348F18C96DE8A88BB45F770D94AD792
    Function 6CC91830 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$'$PowerRegisterSuspendResumeNotification$powrprof.dll
    • API String ID: 0-4026319467
    • Opcode ID: 7660252f8738967c4ccf135553d4ee88e5e9012569dca4cad88555c79771334a
    • Instruction ID: 3016e643eafebdc4ee41bba25176a81fbcba0230990d4c82cb65af274ac8f751
    • Opcode Fuzzy Hash: 7660252f8738967c4ccf135553d4ee88e5e9012569dca4cad88555c79771334a
    • Instruction Fuzzy Hash: E321E0B46083429FD704CF29C08465ABBF4BB89318F00881EE4D987740E774DA88CF93
    Function 6CCA6470 Relevance: 4.2, Strings: 3, Instructions: 451COMMON
    Download Yara Rule
    Strings
    • runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern, xrefs: 6CCA6A04
    • runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add, xrefs: 6CCA69D7
    • <, xrefs: 6CCA6A0D
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: <$runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add$runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern
    • API String ID: 0-450027851
    • Opcode ID: 7909e839d4dfb77de0023fc9a1be7fb13ede9e0d7826ac63bcb1513c4ab54329
    • Instruction ID: 7a3ab43aa9616cc9ed67cba263552f88f58591d09fc9b590ba7055fcee46ff7a
    • Opcode Fuzzy Hash: 7909e839d4dfb77de0023fc9a1be7fb13ede9e0d7826ac63bcb1513c4ab54329
    • Instruction Fuzzy Hash: BC027C74A08B068FC314DF69C19475EBBE1BFC4708F14892DE99887B50EB75E846CB82
    Function 6CC96010 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
    Download Yara Rule
    Strings
    • ', xrefs: 6CC964AC
    • suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support, xrefs: 6CC964A3
    • invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro, xrefs: 6CC9648D
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support
    • API String ID: 0-3278438963
    • Opcode ID: 33dd6245db820020f28fe1da99118962c3a25f4d4a6689d62d147b15139c54d2
    • Instruction ID: 5a8a147afeaba7ebcc91418e4be46e276f6f8a7b8ebe57965b564a48e9bec346
    • Opcode Fuzzy Hash: 33dd6245db820020f28fe1da99118962c3a25f4d4a6689d62d147b15139c54d2
    • Instruction Fuzzy Hash: 2AD1107460DB408FC744CF2AC090A5EBBF1AF8A708F45486DE8C987B91E735E944DB82
    Function 6CC86630 Relevance: 3.0, Strings: 2, Instructions: 499COMMON
    Download Yara Rule
    Strings
    • +, xrefs: 6CC86D57
    • grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 6CC86D4E
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: +$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
    • API String ID: 0-3347251187
    • Opcode ID: b608b6e4dde04cc6d16876823ffb7fdc4bc498403f15cad0465fd38eef1355a5
    • Instruction ID: 3f8b86c547ce53795b7b09f1506d40327e675dba6696507454ff9207ef08f593
    • Opcode Fuzzy Hash: b608b6e4dde04cc6d16876823ffb7fdc4bc498403f15cad0465fd38eef1355a5
    • Instruction Fuzzy Hash: B722EF7460A7818FD714DF29C190A5BBBF1BF89748F14892DE9D887750EB34E888CB42
    Function 6CC8B2D0 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
    Download Yara Rule
    Strings
    • @, xrefs: 6CC8B4FB
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CC8B60F
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
    • API String ID: 0-1191861649
    • Opcode ID: ea34988036c78bd39e99e49e40901dd91fda4d37ff29f36f91d0af5bfbeb694e
    • Instruction ID: 4c264ceabbe37a8e3e2c76ed1f522b2cc7b39594d08655ae61dd61b79abaafc2
    • Opcode Fuzzy Hash: ea34988036c78bd39e99e49e40901dd91fda4d37ff29f36f91d0af5bfbeb694e
    • Instruction Fuzzy Hash: CEA1D4756097098FD304DF18C89055ABBE1FFC8318F448A2DE9959B751EB34E94ACB82
    Function 6CCCA992 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $@
    • API String ID: 0-1077428164
    • Opcode ID: 83d057cc2c6e3bcbaca997c3bef474fc0b39b2e657a874ea4addbd3377d19857
    • Instruction ID: 5c00794bb28f7736ea5b5fc839c1f42f8816e01701b6320df638f92f826da15e
    • Opcode Fuzzy Hash: 83d057cc2c6e3bcbaca997c3bef474fc0b39b2e657a874ea4addbd3377d19857
    • Instruction Fuzzy Hash: 3A519610D0CF9B65E6330ABEC4026267B246EB3144B01D76FFDD6B58B2E7136940BE22
    Function 6CC7CEC0 Relevance: 2.6, Strings: 2, Instructions: 88COMMON
    Download Yara Rule
    Strings
    • ,, xrefs: 6CC7CFAA
    • gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu, xrefs: 6CC7CFA1
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu
    • API String ID: 0-27675022
    • Opcode ID: 2850abc37f0145119a01a743dc417a44dee3919ca811c9cf059affd3d4ca9f4c
    • Instruction ID: 1c77c36aea1657d37922c3a54991c2a59dd37a7378f7f24fe7680a8a0cd02d7d
    • Opcode Fuzzy Hash: 2850abc37f0145119a01a743dc417a44dee3919ca811c9cf059affd3d4ca9f4c
    • Instruction Fuzzy Hash: 1D318F756493968FD305DF28C490A69B7F1BB86608F0981BDDD884F383DB31A84ACB85
    Function 6CCB8690 Relevance: 1.8, Strings: 1, Instructions: 543COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 4
    • API String ID: 0-4088798008
    • Opcode ID: b2c8b7546fdba6214e4ac2ad4d7383544ea01e6ac14641143ccaa7f97bd67dbe
    • Instruction ID: 1af48a083bedd62621393a56a5dc714d5d8a90686d66a54b43534ffd49b3463b
    • Opcode Fuzzy Hash: b2c8b7546fdba6214e4ac2ad4d7383544ea01e6ac14641143ccaa7f97bd67dbe
    • Instruction Fuzzy Hash: 4B22A37560D3468BC734DE98C4C4A6EB7E1AFC5308F14862ED9999BB55EB30A805CB82
    Function 6CC70AF0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
    Download Yara Rule
    Strings
    • span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor, xrefs: 6CC70D52
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor
    • API String ID: 0-1712010102
    • Opcode ID: 055dd6d48050590cb62933d152a94dd1c62945a96cc356dd1b3359b6875ff194
    • Instruction ID: f44356d7fd3e7b79a5c50363de582359721ecf98a3a2b534f5c1029f76845e8a
    • Opcode Fuzzy Hash: 055dd6d48050590cb62933d152a94dd1c62945a96cc356dd1b3359b6875ff194
    • Instruction Fuzzy Hash: 06D133706093818FC754DF29C09066EBBE0FF89748F00892DE8D987B41E736E949CB62
    Function 6CC8D040 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
    Download Yara Rule
    Strings
    • runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin, xrefs: 6CC8D3CB
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin
    • API String ID: 0-429552053
    • Opcode ID: 0fb58b78ccda338b8f4715b8b71c7a00cae1f19b53b8ab5e9f00f5dbe79d4ac5
    • Instruction ID: 00a5ae3901640a5fff0defc66af18d4bbbe625b6770ff43f444bff5a507e92b4
    • Opcode Fuzzy Hash: 0fb58b78ccda338b8f4715b8b71c7a00cae1f19b53b8ab5e9f00f5dbe79d4ac5
    • Instruction Fuzzy Hash: CBB1F47460A3469FC704DF69C08082ABBF1BF8A758F51892EE99587B50E734ED45CF82
    Function 6CC8A360 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: 3889f2a518b1fbb28be79b05544ad68d22468eb5937b382327c18f41683fd3ae
    • Instruction ID: bf5f11777a7a0efc32b0c2a651c0e03b4319707be601e3a2b4a093812613614a
    • Opcode Fuzzy Hash: 3889f2a518b1fbb28be79b05544ad68d22468eb5937b382327c18f41683fd3ae
    • Instruction Fuzzy Hash: 4A9113B5A0A3059FC344DF28C48065ABBE1FFC8748F40992EE89997741E735D989CF82
    Function 6CC8C080 Relevance: .5, Instructions: 477COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 63a18b07e0585f8a206d4ac44356dd84205aa655139198456872d7f1137459ec
    • Instruction ID: cd9f5e0efe4f73e75b50808492d6a2774b279523d31236517f39f607c9a8eaee
    • Opcode Fuzzy Hash: 63a18b07e0585f8a206d4ac44356dd84205aa655139198456872d7f1137459ec
    • Instruction Fuzzy Hash: F3E11533B4A7194BD314ADAD88C025FB6D2ABC8348F19873CDD649B780FA75D80A86C1
    Function 6CCBBD40 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 614ef7cace27d212230aecb2a275147c2a169064d40665a6ea8ff63a1faf2953
    • Instruction ID: 64f2a289793600fa501e6d00db081d11bbd07bc61a16e62c9c3aa2ace8730e2d
    • Opcode Fuzzy Hash: 614ef7cace27d212230aecb2a275147c2a169064d40665a6ea8ff63a1faf2953
    • Instruction Fuzzy Hash: AF0283756083468FD324DF68C4C066EF7E1BF89308F54892DE9999BB41E734E846CB92
    Function 6CC8BB10 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9554b0d4968fd0d5bc56cef220e5395d1cd8d2f2e98c3229da6feeae70557813
    • Instruction ID: 1050e435a1c87d755d49a28950aa95bb9896c97f659a14ebd53912bd43785618
    • Opcode Fuzzy Hash: 9554b0d4968fd0d5bc56cef220e5395d1cd8d2f2e98c3229da6feeae70557813
    • Instruction Fuzzy Hash: B0E1B433E2472507D3149E58CC80249B6D2ABC8670F4EC72DED95AB781EAB4ED5987C2
    Function 6CC780A0 Relevance: .4, Instructions: 378COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9e5424f666b1f7f25d8cd1053b34e36c5f0f7cf28326e02195c2436e7435fb10
    • Instruction ID: 597217186392cc1b71942d7f6e61f22552bba0a7e79e8a81cc60045eb3139808
    • Opcode Fuzzy Hash: 9e5424f666b1f7f25d8cd1053b34e36c5f0f7cf28326e02195c2436e7435fb10
    • Instruction Fuzzy Hash: 73C1C232B083154FC718DE6DC89061EBBE2ABC4304F49863DE959DB7A5F7B4E9068781
    Function 6CCBD800 Relevance: .4, Instructions: 368COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 64bc46a2b35fbe9dcc811d55d9126b56c0e619c98c49e41cec661d804a85ac8a
    • Instruction ID: 6780532d16c1637334a0db7de1b0dd8704c53ce5abe5fea60428c41a2b45c98e
    • Opcode Fuzzy Hash: 64bc46a2b35fbe9dcc811d55d9126b56c0e619c98c49e41cec661d804a85ac8a
    • Instruction Fuzzy Hash: E4E1D671A0D3568FC314DF69C0C056AFBE1AF89308F044A7DE8959B796E730E949CB92
    Function 6CC9E240 Relevance: .3, Instructions: 331COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: de5fa073d5d45ea69b985db38c0da54914fe89e9a612de699b5955bf7b52c3e7
    • Instruction ID: 8cbb7c012a2b917e0315ba64ee224c76dcf22c568571412355015127e75811b7
    • Opcode Fuzzy Hash: de5fa073d5d45ea69b985db38c0da54914fe89e9a612de699b5955bf7b52c3e7
    • Instruction Fuzzy Hash: 73F1D27460D3918FD364CF29C090B5BBBE2BBC9304F54896DE9D887751EB31A845CB92
    Function 6CC8C6D0 Relevance: .3, Instructions: 285COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0560f2f702b1db0e2edea0b947921dca036869fa4ae7a9b49eebdc0d31057e2b
    • Instruction ID: 53dcb4718ea95012440d621064d9cba57677f31837baaf600a78e372a37200a8
    • Opcode Fuzzy Hash: 0560f2f702b1db0e2edea0b947921dca036869fa4ae7a9b49eebdc0d31057e2b
    • Instruction Fuzzy Hash: 9E91553260A7154FC719EE99C4D051FBBE2FBC834CF58873CD9694B780EB75A9098682
    Function 6CC8CA30 Relevance: .3, Instructions: 281COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c183b3fdaa6861b6307a5fc1a18c5081a04d22018fa111cbeea7e6b9c401aaa9
    • Instruction ID: 2c46bfbb70b1df5bbe0eb6c9a7287f0057db945fb8a3b5eec11afbafe1118441
    • Opcode Fuzzy Hash: c183b3fdaa6861b6307a5fc1a18c5081a04d22018fa111cbeea7e6b9c401aaa9
    • Instruction Fuzzy Hash: 24812236B4A7290FD711EDA988D025E7A92ABC835CF19473CD9708B7C1FBB5990682C1
    Function 6CC8AD50 Relevance: .3, Instructions: 276COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 90935ded90aef9bf846c64d5dd6fad26c7c868f46e9074a95cab9075260fd265
    • Instruction ID: 59f8d35e9de4553249f067f7fdcc82bf2dd8bd5303cce795e532b2ff86b8f1aa
    • Opcode Fuzzy Hash: 90935ded90aef9bf846c64d5dd6fad26c7c868f46e9074a95cab9075260fd265
    • Instruction Fuzzy Hash: AA91C876A197184BD304DE59CCC025AB3D2BBC8324F49C63CECA89B745E674EE59CB81
    Function 6CC632A0 Relevance: .2, Instructions: 219COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0837efbd3620eb582456e78d4e37281ce3698885393735f918833722ed51789b
    • Instruction ID: 1f1ca63110f3a4b9ae4730624a57c62b5d8bcb027a78a39db2ab8b4d71e25c99
    • Opcode Fuzzy Hash: 0837efbd3620eb582456e78d4e37281ce3698885393735f918833722ed51789b
    • Instruction Fuzzy Hash: 3F81F9B2A183108FC314DF19D88095AFBE2BFC9748F46892DF988D7711E771D9158B86
    Function 6CC89030 Relevance: .2, Instructions: 193COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: dbe1d4bbd6ec4ba2581431e40752c290f17c3a8d35a339d41ce8e271baac5886
    • Instruction ID: 93157fc19675901eaf61b4307f52405ef4ea7a59adc2d3478ebc6740835e5660
    • Opcode Fuzzy Hash: dbe1d4bbd6ec4ba2581431e40752c290f17c3a8d35a339d41ce8e271baac5886
    • Instruction Fuzzy Hash: 1F91CFB49093459FC308DF28C090A5ABBF1FF89748F408A6EE99997751E730E945CF46
    Function 6CC62CA6 Relevance: .2, Instructions: 161COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a74e3cdcd30a4e377c87d22d140c510c8f9e31ee98ac193ba90d7c9e73e1ccf2
    • Instruction ID: f2809739c2cd3585b6948afdeea00ca4b9abc8dbd24cb871def534efd988c1c3
    • Opcode Fuzzy Hash: a74e3cdcd30a4e377c87d22d140c510c8f9e31ee98ac193ba90d7c9e73e1ccf2
    • Instruction Fuzzy Hash: 8F51757090C3A44AE3158F6F48D402EFFE1AFC6341F884A6EF5E443392D5B89515DBAA
    Function 6CC62CA0 Relevance: .2, Instructions: 160COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 819c9ad1994bce733e397836eaf6ad4c238d9e7658caac89ae586244e49e3ea6
    • Instruction ID: e51bb228a8480fcbda24cc5428bc747f40050f9179554f6a50ccd7189fc700e2
    • Opcode Fuzzy Hash: 819c9ad1994bce733e397836eaf6ad4c238d9e7658caac89ae586244e49e3ea6
    • Instruction Fuzzy Hash: EB51667090C3A44AE3158F6F48D402AFFF1AFC6301F884A6EF5E443392D5B89515DB6A
    Function 6CC8D9C5 Relevance: .1, Instructions: 134COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a8b50cd06630e3ea30b808a45bf3664a22dce61b4cb391c0472f46f016a0dd8d
    • Instruction ID: f3a37d05bcaf2b0f8d2cf1e962022c9f5bde3bfb0225be6ba39f698bd0938de6
    • Opcode Fuzzy Hash: a8b50cd06630e3ea30b808a45bf3664a22dce61b4cb391c0472f46f016a0dd8d
    • Instruction Fuzzy Hash: 7F516BB560A3128FD318DF69C490A1ABBE0BF88708F1585BDD9599B391E731EC45CBC2
    Function 6CC6BE90 Relevance: .1, Instructions: 116COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cf8e08a52504e8d52aebc8397160204183955b0c4d4ffa5a1a3c0060d12d0411
    • Instruction ID: 590a1ac82e089f89effa3218f9c1449d57befe7b81c7098873ee9d25c825435e
    • Opcode Fuzzy Hash: cf8e08a52504e8d52aebc8397160204183955b0c4d4ffa5a1a3c0060d12d0411
    • Instruction Fuzzy Hash: 5841E570904F048FC306DE39C49021AB3E5BFC6344F44872DE95A6BB91EB319886C742
    Function 6CC6FBC0 Relevance: .1, Instructions: 97COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 98a4751115d30e6e8c221174353f16870553c708ae349021ccd6818e6a687064
    • Instruction ID: ecf1b4e12e5b97fe1975e4a0916634ad4fe0cb76c2e96aceba70f0fbb92bb98b
    • Opcode Fuzzy Hash: 98a4751115d30e6e8c221174353f16870553c708ae349021ccd6818e6a687064
    • Instruction Fuzzy Hash: 833143B391971D8BD300AF498C40249F7E6AFD0B20F5E8A5ED99457701EBB0AA15CBC7
    Function 6CC690F0 Relevance: .1, Instructions: 76COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 683895508ab3f8b3dc8796afebc0d59624675c35cf827e6fe3e598639764d24a
    • Instruction ID: 9a02e6608e845bc8e91db2b156e7e32086e9890003684224926b00e4e5cf0f4d
    • Opcode Fuzzy Hash: 683895508ab3f8b3dc8796afebc0d59624675c35cf827e6fe3e598639764d24a
    • Instruction Fuzzy Hash: F021D7317042128BD70CCF3AC9D0126B7F7ABCA710B55856CD556C7BA4E634E90AC756
    Function 6CC91C90 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2b14979d2769b7817b66285773ed25503721aa0b57a1a12163789a9e1e749712
    • Instruction ID: 5bd8c3cb5d43f0c99947f85fde2a59ea4ce97fe51c548e10f56de7b05f595728
    • Opcode Fuzzy Hash: 2b14979d2769b7817b66285773ed25503721aa0b57a1a12163789a9e1e749712
    • Instruction Fuzzy Hash: 32116D70A083418FD705CF24C0A16A9B7B9BF8A308F44499CD59A4BBD1E77AD959CB42
    Function 6CCC73A0 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5a045358aef5743d58034934a1ccd5c8c8d6342d0d8d30c57b29e02a821ece1e
    • Instruction ID: bfef25ae438e405bd4d692e44341766417ca7241403a33c101be1d6b96181504
    • Opcode Fuzzy Hash: 5a045358aef5743d58034934a1ccd5c8c8d6342d0d8d30c57b29e02a821ece1e
    • Instruction Fuzzy Hash: 8611DBB4700B118FD398DF59C0D4A65B3E1FB8C200B4A81FDDB0A8B766C670A855DB85
    Function 6CCCC1E0 Relevance: .0, Instructions: 10COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7a21cc96b9737d622452f73002ee9df768db65e2f384b1fd82e480c9075bd760
    • Instruction ID: 64f61619aea9e38937f634e4a607b3f5fde794bb4959efba2888fd413983b1b4
    • Opcode Fuzzy Hash: 7a21cc96b9737d622452f73002ee9df768db65e2f384b1fd82e480c9075bd760
    • Instruction Fuzzy Hash: C9C04CB0A1A3525DF750DB1A8144346BEE89B86344F94C49DA248C2544D27586805616
    Function 6CCFB7C0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1167 6ccfb7c0-6ccfb830 call 6ccfc560 fwrite call 6ccfc560 vfprintf abort 1173 6ccfb836-6ccfb83d 1167->1173 1174 6ccfb940-6ccfb942 1167->1174 1175 6ccfb840-6ccfb844 1173->1175 1176 6ccfb85e-6ccfb86a call 6ccfc010 1174->1176 1177 6ccfb846-6ccfb84e 1175->1177 1178 6ccfb854-6ccfb85c 1175->1178 1182 6ccfb967-6ccfb991 call 6ccfb7c0 1176->1182 1183 6ccfb870-6ccfb8b6 call 6ccfc150 VirtualQuery 1176->1183 1177->1178 1180 6ccfb8d7-6ccfb8dd 1177->1180 1178->1175 1178->1176 1191 6ccfb993-6ccfb99a 1182->1191 1192 6ccfb9a0-6ccfb9e9 call 6ccfc090 call 6ccfc450 1182->1192 1189 6ccfb8bc-6ccfb8c6 1183->1189 1190 6ccfb947-6ccfb95e 1183->1190 1194 6ccfb8c8-6ccfb8ce 1189->1194 1195 6ccfb8d0 1189->1195 1190->1182 1193 6ccfb962 call 6ccfb7c0 1190->1193 1192->1191 1204 6ccfb9eb-6ccfb9f4 1192->1204 1193->1182 1194->1195 1197 6ccfb8e0-6ccfb91e VirtualProtect 1194->1197 1195->1180 1197->1195 1199 6ccfb920-6ccfb93d GetLastError call 6ccfb7c0 1197->1199 1199->1174 1205 6ccfb9fa 1204->1205 1206 6ccfbab0-6ccfbab2 1204->1206 1209 6ccfb9ff-6ccfba03 1205->1209 1207 6ccfbc28 1206->1207 1208 6ccfbab8-6ccfbaca 1206->1208 1210 6ccfbc2d-6ccfbc33 1207->1210 1208->1209 1211 6ccfbad0-6ccfbad5 1208->1211 1209->1210 1212 6ccfba09 1209->1212 1210->1191 1214 6ccfbc39-6ccfbc3c 1210->1214 1213 6ccfba0c-6ccfba0e 1211->1213 1212->1213 1213->1210 1215 6ccfba14-6ccfba1a 1213->1215 1216 6ccfbc40-6ccfbc65 call 6ccfb820 1214->1216 1218 6ccfbc6f-6ccfbc9f call 6ccfb7c0 EnterCriticalSection 1215->1218 1219 6ccfba20-6ccfba29 1215->1219 1223 6ccfbc67 1216->1223 1228 6ccfbcd5-6ccfbcec LeaveCriticalSection 1218->1228 1229 6ccfbca1-6ccfbcad 1218->1229 1219->1191 1221 6ccfba2f-6ccfba32 1219->1221 1224 6ccfba38-6ccfba5e 1221->1224 1223->1218 1226 6ccfba64-6ccfba67 1224->1226 1227 6ccfbb00-6ccfbb10 1224->1227 1232 6ccfba69-6ccfba7c 1226->1232 1233 6ccfbae0-6ccfbae3 1226->1233 1230 6ccfbb17-6ccfbb20 1227->1230 1231 6ccfbb12 1227->1231 1234 6ccfbcb0-6ccfbcc0 TlsGetValue GetLastError 1229->1234 1235 6ccfbb3a-6ccfbb42 call 6ccfb820 1230->1235 1236 6ccfbb22-6ccfbb28 1230->1236 1231->1230 1237 6ccfba82-6ccfba84 1232->1237 1238 6ccfbc10-6ccfbc1e call 6ccfb820 1232->1238 1241 6ccfbae9-6ccfbaf9 call 6ccfb7c0 1233->1241 1242 6ccfbbc0-6ccfbbcf 1233->1242 1239 6ccfbcce-6ccfbcd3 1234->1239 1240 6ccfbcc2-6ccfbcc4 1234->1240 1260 6ccfbb49-6ccfbb52 1235->1260 1246 6ccfbb2e-6ccfbb34 1236->1246 1247 6ccfba8a-6ccfbaac call 6ccfb7c0 1236->1247 1237->1238 1237->1247 1238->1260 1239->1228 1239->1234 1240->1239 1250 6ccfbcc6-6ccfbcc9 1240->1250 1241->1227 1244 6ccfbbd6-6ccfbbdf 1242->1244 1245 6ccfbbd1 1242->1245 1252 6ccfbbf6-6ccfbc06 call 6ccfb820 1244->1252 1253 6ccfbbe1-6ccfbbe7 1244->1253 1245->1244 1246->1235 1246->1247 1247->1206 1250->1239 1252->1260 1253->1247 1257 6ccfbbed-6ccfbbf0 1253->1257 1257->1247 1257->1252 1260->1224 1262 6ccfbb58-6ccfbb63 1260->1262 1262->1191 1263 6ccfbb69-6ccfbb72 1262->1263 1264 6ccfbb78-6ccfbb88 1263->1264 1265 6ccfbb8a-6ccfbba1 VirtualProtect 1264->1265 1266 6ccfbba4-6ccfbbad 1264->1266 1265->1266 1266->1264 1267 6ccfbbaf-6ccfbbb6 1266->1267
    APIs
    Strings
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6CCFB957
    • Address %p has no image-section, xrefs: 6CCFB96B
    • Mingw-w64 runtime failure:, xrefs: 6CCFB7E8
    • VirtualProtect failed with code 0x%x, xrefs: 6CCFB926
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtualabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
    • API String ID: 2513968241-1534286854
    • Opcode ID: 15a5afdaeb84a6bba1bbba3d0b4f1b45df8f22b9c201638bbd7b43966ab534f4
    • Instruction ID: ebdacca23551d046728ce6909ed4e0cb65c5aaada057af5b01442faeb09b06b0
    • Opcode Fuzzy Hash: 15a5afdaeb84a6bba1bbba3d0b4f1b45df8f22b9c201638bbd7b43966ab534f4
    • Instruction Fuzzy Hash: 05516DB1A043059FDB50DF68C48564AFBF4FF85328F55891DE9A88B710E734E44ACB92
    Function 6CCFB980 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 226COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2086 6ccfb980-6ccfb991 2087 6ccfb993-6ccfb99a 2086->2087 2088 6ccfb9a0-6ccfb9e9 call 6ccfc090 call 6ccfc450 2086->2088 2088->2087 2093 6ccfb9eb-6ccfb9f4 2088->2093 2094 6ccfb9fa 2093->2094 2095 6ccfbab0-6ccfbab2 2093->2095 2098 6ccfb9ff-6ccfba03 2094->2098 2096 6ccfbc28 2095->2096 2097 6ccfbab8-6ccfbaca 2095->2097 2099 6ccfbc2d-6ccfbc33 2096->2099 2097->2098 2100 6ccfbad0-6ccfbad5 2097->2100 2098->2099 2101 6ccfba09 2098->2101 2099->2087 2103 6ccfbc39-6ccfbc3c 2099->2103 2102 6ccfba0c-6ccfba0e 2100->2102 2101->2102 2102->2099 2104 6ccfba14-6ccfba1a 2102->2104 2105 6ccfbc40-6ccfbc65 call 6ccfb820 2103->2105 2107 6ccfbc6f-6ccfbc9f call 6ccfb7c0 EnterCriticalSection 2104->2107 2108 6ccfba20-6ccfba29 2104->2108 2112 6ccfbc67 2105->2112 2117 6ccfbcd5-6ccfbcec LeaveCriticalSection 2107->2117 2118 6ccfbca1-6ccfbcad 2107->2118 2108->2087 2110 6ccfba2f-6ccfba32 2108->2110 2113 6ccfba38-6ccfba5e 2110->2113 2112->2107 2115 6ccfba64-6ccfba67 2113->2115 2116 6ccfbb00-6ccfbb10 2113->2116 2121 6ccfba69-6ccfba7c 2115->2121 2122 6ccfbae0-6ccfbae3 2115->2122 2119 6ccfbb17-6ccfbb20 2116->2119 2120 6ccfbb12 2116->2120 2123 6ccfbcb0-6ccfbcc0 TlsGetValue GetLastError 2118->2123 2124 6ccfbb3a-6ccfbb42 call 6ccfb820 2119->2124 2125 6ccfbb22-6ccfbb28 2119->2125 2120->2119 2126 6ccfba82-6ccfba84 2121->2126 2127 6ccfbc10-6ccfbc1e call 6ccfb820 2121->2127 2130 6ccfbae9-6ccfbaf9 call 6ccfb7c0 2122->2130 2131 6ccfbbc0-6ccfbbcf 2122->2131 2128 6ccfbcce-6ccfbcd3 2123->2128 2129 6ccfbcc2-6ccfbcc4 2123->2129 2149 6ccfbb49-6ccfbb52 2124->2149 2135 6ccfbb2e-6ccfbb34 2125->2135 2136 6ccfba8a-6ccfbaac call 6ccfb7c0 2125->2136 2126->2127 2126->2136 2127->2149 2128->2117 2128->2123 2129->2128 2139 6ccfbcc6-6ccfbcc9 2129->2139 2130->2116 2133 6ccfbbd6-6ccfbbdf 2131->2133 2134 6ccfbbd1 2131->2134 2141 6ccfbbf6-6ccfbc06 call 6ccfb820 2133->2141 2142 6ccfbbe1-6ccfbbe7 2133->2142 2134->2133 2135->2124 2135->2136 2136->2095 2139->2128 2141->2149 2142->2136 2146 6ccfbbed-6ccfbbf0 2142->2146 2146->2136 2146->2141 2149->2113 2151 6ccfbb58-6ccfbb63 2149->2151 2151->2087 2152 6ccfbb69-6ccfbb72 2151->2152 2153 6ccfbb78-6ccfbb88 2152->2153 2154 6ccfbb8a-6ccfbba1 VirtualProtect 2153->2154 2155 6ccfbba4-6ccfbbad 2153->2155 2154->2155 2155->2153 2156 6ccfbbaf-6ccfbbb6 2155->2156
    Strings
    • %d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6CCFBAA0
    • Unknown pseudo relocation bit size %d., xrefs: 6CCFBAED
    • Unknown pseudo relocation protocol version %d., xrefs: 6CCFBC73
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
    • API String ID: 0-1286557213
    • Opcode ID: c68fdf9a61daac286418a2919c4d023025f4eb8e3e71fa1ba244a0d4efbf58f3
    • Instruction ID: bd6671c5a05f9535236d586f7b70292f0994cff989135def65393c8acf6d2ba3
    • Opcode Fuzzy Hash: c68fdf9a61daac286418a2919c4d023025f4eb8e3e71fa1ba244a0d4efbf58f3
    • Instruction Fuzzy Hash: B691AD72E0460A8FDB50DF69C89069EB7B4FF45314F058629D9A9ABB14E330F8478BD1
    Function 6CCF68E0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID: memset
    • String ID: 0$o
    • API String ID: 2221118986-4157579757
    • Opcode ID: ebefbe6945bd7e9b28a0da70524577bbcc1c22ea509cf173d45d016b6e072430
    • Instruction ID: 700794abf02a0ab37f616ff90aab91c8473387cd64cf3cecc5a2c72438698992
    • Opcode Fuzzy Hash: ebefbe6945bd7e9b28a0da70524577bbcc1c22ea509cf173d45d016b6e072430
    • Instruction Fuzzy Hash: 25F18371A04A058FCB40CF69C4907DDBBF2BF89364F198269D8A4EB751E734E946CB90
    Function 6CCF8050 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID: _errno
    • String ID: @$Inf$NaN
    • API String ID: 2918714741-141429178
    • Opcode ID: 36607960027d2a9fbeaa5189c3ee97d5a9f97cdf700c491c393aba50447f5852
    • Instruction ID: 0cdd06ee483505990faa4ac1799f2f7b8bb3d0fcbc6120f080aa64dda455715c
    • Opcode Fuzzy Hash: 36607960027d2a9fbeaa5189c3ee97d5a9f97cdf700c491c393aba50447f5852
    • Instruction Fuzzy Hash: 8AF1C37160C7858BD7A08F26C450B9BBBE1BF86318F148A1ED9EC97781E735950BCB42
    Function 6CCF6E50 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 0$@
    • API String ID: 0-1545510068
    • Opcode ID: db53b3412e21b14b64fd966cdfaba44a868fe3b057c10bed8708d4ee68713ec0
    • Instruction ID: fa815d2607c461ae733d4046bd5263c92b103316cb593b3a3cb89be6fcaf1248
    • Opcode Fuzzy Hash: db53b3412e21b14b64fd966cdfaba44a868fe3b057c10bed8708d4ee68713ec0
    • Instruction Fuzzy Hash: A6C14D71E046158BDB44CF6DC88078DBBF1BF89318F258259E868AB785E375E847CB90
    Function 6CCFCD90 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleModule
    • String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
    • API String ID: 667068680-1145701848
    • Opcode ID: 4176b8e2d7911a5ebddfed2be18cb298ab42c7c3bb03a4b42f5b3a8be552e352
    • Instruction ID: 83f7713935b677e36b639a8ae16a2dd01565652dedd7f4f70312454d71d3515c
    • Opcode Fuzzy Hash: 4176b8e2d7911a5ebddfed2be18cb298ab42c7c3bb03a4b42f5b3a8be552e352
    • Instruction Fuzzy Hash: 82F062B1F452208BEB40BF7D990625E7EF8AE05211F01057ED899CB714F630D445CBB2
    Function 6CC61020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CC61281,?,?,?,?,?,?,6CC613AE), ref: 6CC61057
    • _amsg_exit.MSVCRT ref: 6CC61086
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: 8552f1150c624d790409736db68fcafe7d122847e59c8e11f1375e015cf01008
    • Instruction ID: 73519fc4885d45ff294c07a92a6dccb1dff245e260f51527afcb295f733b3548
    • Opcode Fuzzy Hash: 8552f1150c624d790409736db68fcafe7d122847e59c8e11f1375e015cf01008
    • Instruction Fuzzy Hash: 0D314A70B082418BEF00AF6EC6C135A77F8EB86359F158529D694CBE50E735E446DB82
    Function 6CCFC7C0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 01cfb712d85b6e4d619ce68922cd4ea2a4d205ce6739300ed457df455a6d115e
    • Instruction ID: 455e0299aa53fa720fcc5ab4876ac59659c48e6dc07c48c03b16a9a4a6933c5a
    • Opcode Fuzzy Hash: 01cfb712d85b6e4d619ce68922cd4ea2a4d205ce6739300ed457df455a6d115e
    • Instruction Fuzzy Hash: DF114C71A042018FDBA0AF28C49075ABBE0BF49354F15C569D8A8CF745FB74C84ACBA2
    Function 6CCF5FC0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6CCF5FF0
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CCF46F9), ref: 6CCF5FFC
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CCF46F9), ref: 6CCF600E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CCF46F9), ref: 6CCF601E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CCF46F9), ref: 6CCF6030
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 166c03ddc82db42baec40259ab74182835dd5ce51e44fca530a49bac102c0c81
    • Instruction ID: f1f64f69db5f0d07abafbe435df103751900708facfe33e3cc766de8c4d996e3
    • Opcode Fuzzy Hash: 166c03ddc82db42baec40259ab74182835dd5ce51e44fca530a49bac102c0c81
    • Instruction Fuzzy Hash: 2F0140B1E04305CBEB00BF7DD68655ABBB8EF42224F014629D99447A54E630F459CB93
    Function 6CCF5E90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6CCF5EB2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CCF5F65), ref: 6CCF5ECB
    • abort.MSVCRT ref: 6CCF5EF5
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6CCF5EE5
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabort
    • String ID: runtime: failed to create runtime initialization wait event.
    • API String ID: 3843693739-3277801083
    • Opcode ID: 0a60c581edec0de2b266817a7a9854af4acf5a719b4574c4db9fcda3356af668
    • Instruction ID: e76634e3f14e748769b8e855a8db11e6858081f217c37d22c22830dc47e1178c
    • Opcode Fuzzy Hash: 0a60c581edec0de2b266817a7a9854af4acf5a719b4574c4db9fcda3356af668
    • Instruction Fuzzy Hash: 1EF017B1A097118BFB40BF78C10935ABEF4FF41314F82895CD69987A50EB79E0098B93
    Function 6CCFC8F0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
    Download Yara Rule
    APIs
    • IsDBCSLeadByteEx.KERNEL32 ref: 6CCFC942
    • MultiByteToWideChar.KERNEL32 ref: 6CCFC985
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID: Byte$CharLeadMultiWide
    • String ID:
    • API String ID: 2561704868-0
    • Opcode ID: dfd154d0b91ff39e170630ea91b67074f964656b35ce932f08abb89063404721
    • Instruction ID: db859385667f271fa8ebbee76d1e9c9c946d2a383e53e2ea3f2e635ab221a68c
    • Opcode Fuzzy Hash: dfd154d0b91ff39e170630ea91b67074f964656b35ce932f08abb89063404721
    • Instruction Fuzzy Hash: 0A31F6B16093418FD750EF29D48434ABBF0BF86358F14891EE9E587250E376D949CB43
    Function 6CCF66A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID: fputc
    • String ID: NaN
    • API String ID: 1992160199-1757892521
    • Opcode ID: cf7614440ec6851ca82ea40031330610d20ebf86e678fa2553d9f1a1c36698a7
    • Instruction ID: adcbea0fc371147765b4edb27768607c4953b0153cb704000b84fd4e560296b3
    • Opcode Fuzzy Hash: cf7614440ec6851ca82ea40031330610d20ebf86e678fa2553d9f1a1c36698a7
    • Instruction Fuzzy Hash: 1C410AB5A05A15CBD750CF19C484745B7E1BF85708B29829ADC68CF74AE336EC47CB90
    Function 6CCFA850 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,?,6CCFA971,?,?,?,?,?,?,00000000,6CCF8C14), ref: 6CCFA877
    • InitializeCriticalSection.KERNEL32(?,?,?,?,6CCFA971,?,?,?,?,?,?,00000000,6CCF8C14), ref: 6CCFA8B4
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,6CCFA971,?,?,?,?,?,?,00000000,6CCF8C14), ref: 6CCFA8C0
    • EnterCriticalSection.KERNEL32(?,?,?,?,6CCFA971,?,?,?,?,?,?,00000000,6CCF8C14), ref: 6CCFA8E8
    Memory Dump Source
    • Source File: 00000003.00000002.1680226301.000000006CC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC60000, based on PE: true
    • Associated: 00000003.00000002.1680195635.000000006CC60000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680400303.000000006CCFD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680423175.000000006CCFE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680442843.000000006CCFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680465610.000000006CD04000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680553414.000000006CDAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680579200.000000006CDB8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680634387.000000006CDCB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680654658.000000006CDD2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680674691.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1680692446.000000006CDD6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cc60000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$Initialize$EnterSleep
    • String ID:
    • API String ID: 1117354567-0
    • Opcode ID: 3b035be4854074e92e3cdf1691a00a738ddc17727ea2bc38ef6bd2e42e6cb5f5
    • Instruction ID: 33f2b9ab4bb5bd9a272baba84d9ab2d23619f52ef54f1a59631bc30694645b87
    • Opcode Fuzzy Hash: 3b035be4854074e92e3cdf1691a00a738ddc17727ea2bc38ef6bd2e42e6cb5f5
    • Instruction Fuzzy Hash: 4E115EB1E051098AEF40AF28D48665EB7F8EF86364F610525C562C7A14F771E487C793

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:3
    Total number of Limit Nodes:0
    execution_graph 43246 6cf5cfc0 43247 6cf5cfd9 43246->43247 43248 6cf5cfe8 WriteFile 43246->43248 43247->43248

    Executed Functions

    Function 6CF5CFC0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 6cf5cfc0-6cf5cfd7 1 6cf5cfd9-6cf5cfe6 0->1 2 6cf5cfe8-6cf5d000 WriteFile 0->2 1->2
    APIs
    Memory Dump Source
    • Source File: 0000000C.00000002.1776772057.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 0000000C.00000002.1776692943.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777045341.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777119078.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777210398.000000006CF8F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777293899.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777566527.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777755947.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777837037.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777897930.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777968017.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: a174bcfb58dbe82d36da09385f8bd915b1580faa55592a59090fa2b39c44bba0
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 6CE0E571505600CFCB15DF18C2C170ABBE1EB88A00F4485A8DE098FB4AD734ED10CB92

    Non-executed Functions

    Function 6CF8B7C0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1167 6cf8b7c0-6cf8b830 call 6cf8c560 fwrite call 6cf8c560 vfprintf abort 1173 6cf8b940-6cf8b942 1167->1173 1174 6cf8b836-6cf8b83d 1167->1174 1175 6cf8b85e-6cf8b86a call 6cf8c010 1173->1175 1176 6cf8b840-6cf8b844 1174->1176 1182 6cf8b870-6cf8b8b6 call 6cf8c150 VirtualQuery 1175->1182 1183 6cf8b967-6cf8b991 call 6cf8b7c0 1175->1183 1177 6cf8b854-6cf8b85c 1176->1177 1178 6cf8b846-6cf8b84e 1176->1178 1177->1175 1177->1176 1178->1177 1180 6cf8b8d7-6cf8b8dd 1178->1180 1188 6cf8b8bc-6cf8b8c6 1182->1188 1189 6cf8b947-6cf8b95e 1182->1189 1194 6cf8b9a0-6cf8b9e9 call 6cf8c090 call 6cf8c450 1183->1194 1195 6cf8b993-6cf8b99a 1183->1195 1192 6cf8b8c8-6cf8b8ce 1188->1192 1193 6cf8b8d0 1188->1193 1189->1183 1191 6cf8b962 call 6cf8b7c0 1189->1191 1191->1183 1192->1193 1196 6cf8b8e0-6cf8b91e VirtualProtect 1192->1196 1193->1180 1194->1195 1204 6cf8b9eb-6cf8b9f4 1194->1204 1196->1193 1199 6cf8b920-6cf8b93d GetLastError call 6cf8b7c0 1196->1199 1199->1173 1205 6cf8b9fa 1204->1205 1206 6cf8bab0-6cf8bab2 1204->1206 1209 6cf8b9ff-6cf8ba03 1205->1209 1207 6cf8bc28 1206->1207 1208 6cf8bab8-6cf8baca 1206->1208 1210 6cf8bc2d-6cf8bc33 1207->1210 1208->1209 1211 6cf8bad0-6cf8bad5 1208->1211 1209->1210 1212 6cf8ba09 1209->1212 1210->1195 1214 6cf8bc39-6cf8bc3c 1210->1214 1213 6cf8ba0c-6cf8ba0e 1211->1213 1212->1213 1213->1210 1215 6cf8ba14-6cf8ba1a 1213->1215 1216 6cf8bc40-6cf8bc65 call 6cf8b820 1214->1216 1218 6cf8bc6f-6cf8bc9f call 6cf8b7c0 EnterCriticalSection 1215->1218 1219 6cf8ba20-6cf8ba29 1215->1219 1223 6cf8bc67 1216->1223 1228 6cf8bca1-6cf8bcad 1218->1228 1229 6cf8bcd5-6cf8bcec LeaveCriticalSection 1218->1229 1219->1195 1221 6cf8ba2f-6cf8ba32 1219->1221 1224 6cf8ba38-6cf8ba5e 1221->1224 1223->1218 1226 6cf8bb00-6cf8bb10 1224->1226 1227 6cf8ba64-6cf8ba67 1224->1227 1230 6cf8bb12 1226->1230 1231 6cf8bb17-6cf8bb20 1226->1231 1232 6cf8ba69-6cf8ba7c 1227->1232 1233 6cf8bae0-6cf8bae3 1227->1233 1234 6cf8bcb0-6cf8bcc0 TlsGetValue GetLastError 1228->1234 1230->1231 1235 6cf8bb3a-6cf8bb42 call 6cf8b820 1231->1235 1236 6cf8bb22-6cf8bb28 1231->1236 1237 6cf8bc10-6cf8bc1e call 6cf8b820 1232->1237 1238 6cf8ba82-6cf8ba84 1232->1238 1241 6cf8bae9-6cf8baf9 call 6cf8b7c0 1233->1241 1242 6cf8bbc0-6cf8bbcf 1233->1242 1239 6cf8bcce-6cf8bcd3 1234->1239 1240 6cf8bcc2-6cf8bcc4 1234->1240 1260 6cf8bb49-6cf8bb52 1235->1260 1246 6cf8ba8a-6cf8baac call 6cf8b7c0 1236->1246 1247 6cf8bb2e-6cf8bb34 1236->1247 1237->1260 1238->1237 1238->1246 1239->1229 1239->1234 1240->1239 1250 6cf8bcc6-6cf8bcc9 1240->1250 1241->1226 1244 6cf8bbd1 1242->1244 1245 6cf8bbd6-6cf8bbdf 1242->1245 1244->1245 1252 6cf8bbe1-6cf8bbe7 1245->1252 1253 6cf8bbf6-6cf8bc06 call 6cf8b820 1245->1253 1246->1206 1247->1235 1247->1246 1250->1239 1252->1246 1257 6cf8bbed-6cf8bbf0 1252->1257 1253->1260 1257->1246 1257->1253 1260->1224 1262 6cf8bb58-6cf8bb63 1260->1262 1262->1195 1263 6cf8bb69-6cf8bb72 1262->1263 1264 6cf8bb78-6cf8bb88 1263->1264 1265 6cf8bb8a-6cf8bba1 VirtualProtect 1264->1265 1266 6cf8bba4-6cf8bbad 1264->1266 1265->1266 1266->1264 1267 6cf8bbaf-6cf8bbb6 1266->1267
    APIs
    Strings
    • VirtualProtect failed with code 0x%x, xrefs: 6CF8B926
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6CF8B957
    • Address %p has no image-section, xrefs: 6CF8B96B
    • Mingw-w64 runtime failure:, xrefs: 6CF8B7E8
    Memory Dump Source
    • Source File: 0000000C.00000002.1776772057.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 0000000C.00000002.1776692943.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777045341.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777119078.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777210398.000000006CF8F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777293899.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777566527.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777755947.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777837037.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777897930.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777968017.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtualabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
    • API String ID: 2513968241-1534286854
    • Opcode ID: 4c4563942ba96569439412127293cd26920d89bb61693064d6eccaeaf4e15267
    • Instruction ID: 7d12a90f9db4a33adda5b047453678d76360716629e54b1f59577f8496ba3b39
    • Opcode Fuzzy Hash: 4c4563942ba96569439412127293cd26920d89bb61693064d6eccaeaf4e15267
    • Instruction Fuzzy Hash: 74514AB19063059FDB00EF29C88975ABBF0FF85718F558A1DE8989B710D734E449CB92
    Function 6CF8B980 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 226COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2086 6cf8b980-6cf8b991 2087 6cf8b9a0-6cf8b9e9 call 6cf8c090 call 6cf8c450 2086->2087 2088 6cf8b993-6cf8b99a 2086->2088 2087->2088 2093 6cf8b9eb-6cf8b9f4 2087->2093 2094 6cf8b9fa 2093->2094 2095 6cf8bab0-6cf8bab2 2093->2095 2098 6cf8b9ff-6cf8ba03 2094->2098 2096 6cf8bc28 2095->2096 2097 6cf8bab8-6cf8baca 2095->2097 2099 6cf8bc2d-6cf8bc33 2096->2099 2097->2098 2100 6cf8bad0-6cf8bad5 2097->2100 2098->2099 2101 6cf8ba09 2098->2101 2099->2088 2103 6cf8bc39-6cf8bc3c 2099->2103 2102 6cf8ba0c-6cf8ba0e 2100->2102 2101->2102 2102->2099 2104 6cf8ba14-6cf8ba1a 2102->2104 2105 6cf8bc40-6cf8bc65 call 6cf8b820 2103->2105 2107 6cf8bc6f-6cf8bc9f call 6cf8b7c0 EnterCriticalSection 2104->2107 2108 6cf8ba20-6cf8ba29 2104->2108 2112 6cf8bc67 2105->2112 2117 6cf8bca1-6cf8bcad 2107->2117 2118 6cf8bcd5-6cf8bcec LeaveCriticalSection 2107->2118 2108->2088 2110 6cf8ba2f-6cf8ba32 2108->2110 2113 6cf8ba38-6cf8ba5e 2110->2113 2112->2107 2115 6cf8bb00-6cf8bb10 2113->2115 2116 6cf8ba64-6cf8ba67 2113->2116 2119 6cf8bb12 2115->2119 2120 6cf8bb17-6cf8bb20 2115->2120 2121 6cf8ba69-6cf8ba7c 2116->2121 2122 6cf8bae0-6cf8bae3 2116->2122 2123 6cf8bcb0-6cf8bcc0 TlsGetValue GetLastError 2117->2123 2119->2120 2124 6cf8bb3a-6cf8bb42 call 6cf8b820 2120->2124 2125 6cf8bb22-6cf8bb28 2120->2125 2126 6cf8bc10-6cf8bc1e call 6cf8b820 2121->2126 2127 6cf8ba82-6cf8ba84 2121->2127 2130 6cf8bae9-6cf8baf9 call 6cf8b7c0 2122->2130 2131 6cf8bbc0-6cf8bbcf 2122->2131 2128 6cf8bcce-6cf8bcd3 2123->2128 2129 6cf8bcc2-6cf8bcc4 2123->2129 2149 6cf8bb49-6cf8bb52 2124->2149 2135 6cf8ba8a-6cf8baac call 6cf8b7c0 2125->2135 2136 6cf8bb2e-6cf8bb34 2125->2136 2126->2149 2127->2126 2127->2135 2128->2118 2128->2123 2129->2128 2139 6cf8bcc6-6cf8bcc9 2129->2139 2130->2115 2133 6cf8bbd1 2131->2133 2134 6cf8bbd6-6cf8bbdf 2131->2134 2133->2134 2141 6cf8bbe1-6cf8bbe7 2134->2141 2142 6cf8bbf6-6cf8bc06 call 6cf8b820 2134->2142 2135->2095 2136->2124 2136->2135 2139->2128 2141->2135 2146 6cf8bbed-6cf8bbf0 2141->2146 2142->2149 2146->2135 2146->2142 2149->2113 2151 6cf8bb58-6cf8bb63 2149->2151 2151->2088 2152 6cf8bb69-6cf8bb72 2151->2152 2153 6cf8bb78-6cf8bb88 2152->2153 2154 6cf8bb8a-6cf8bba1 VirtualProtect 2153->2154 2155 6cf8bba4-6cf8bbad 2153->2155 2154->2155 2155->2153 2156 6cf8bbaf-6cf8bbb6 2155->2156
    Strings
    • Unknown pseudo relocation bit size %d., xrefs: 6CF8BAED
    • %d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6CF8BAA0
    • Unknown pseudo relocation protocol version %d., xrefs: 6CF8BC73
    Memory Dump Source
    • Source File: 0000000C.00000002.1776772057.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 0000000C.00000002.1776692943.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777045341.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777119078.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777210398.000000006CF8F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777293899.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777566527.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777755947.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777837037.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777897930.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777968017.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
    • API String ID: 0-1286557213
    • Opcode ID: d949f6fe8ec7396fcd6579594996e1ed138e9a1d396b315fcff3f9d44af55458
    • Instruction ID: 8255ae920d6ffc26e510e4c8239fbd41e8c78836a6db80a377ccbfa490d56fa4
    • Opcode Fuzzy Hash: d949f6fe8ec7396fcd6579594996e1ed138e9a1d396b315fcff3f9d44af55458
    • Instruction Fuzzy Hash: F4918D72D062168FDF10DF69CC84B9AB7B5FF45308F158A29D854AB718D330E9458BD2
    Function 6CF868E0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1776772057.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 0000000C.00000002.1776692943.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777045341.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777119078.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777210398.000000006CF8F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777293899.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777566527.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777755947.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777837037.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777897930.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777968017.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: memset
    • String ID: 0$o
    • API String ID: 2221118986-4157579757
    • Opcode ID: ebefbe6945bd7e9b28a0da70524577bbcc1c22ea509cf173d45d016b6e072430
    • Instruction ID: 9a5a6fa6dad1b016cef6ee6465bbc931ee680e2e26959fd4368666922799f497
    • Opcode Fuzzy Hash: ebefbe6945bd7e9b28a0da70524577bbcc1c22ea509cf173d45d016b6e072430
    • Instruction Fuzzy Hash: D1F18172A162098FCB05CF69C48079DBBF2BF89364F19C229E854EB791D734E945CB90
    Function 6CEF13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1776772057.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 0000000C.00000002.1776692943.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777045341.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777119078.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777210398.000000006CF8F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777293899.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777566527.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777755947.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777837037.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777897930.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777968017.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: ee40be3585ae22b1741b07161e1985870c295a81b07e792b95cdc70b71da02c0
    • Instruction ID: b5f31828166d95efad4ac02e6dbb32592871c94c509bc6795e6a8a042c1c7a65
    • Opcode Fuzzy Hash: ee40be3585ae22b1741b07161e1985870c295a81b07e792b95cdc70b71da02c0
    • Instruction Fuzzy Hash: 2F0171B19093558BDB00BFB8A50632EBFF4AB86654F02442DD99987614D731C415CBA3
    Function 6CF88050 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1776772057.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 0000000C.00000002.1776692943.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777045341.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777119078.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777210398.000000006CF8F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777293899.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777566527.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777755947.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777837037.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777897930.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777968017.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: _errno
    • String ID: @$Inf$NaN
    • API String ID: 2918714741-141429178
    • Opcode ID: a366e645d697e1a784747b0882eadbdd134833f226e6dfa1f169e61c86ac4f76
    • Instruction ID: bf370b9b654e254ca43c728a89dc67a5cd5637e654eddd8d0c0ff3850158a2a1
    • Opcode Fuzzy Hash: a366e645d697e1a784747b0882eadbdd134833f226e6dfa1f169e61c86ac4f76
    • Instruction Fuzzy Hash: C5F1D37160E7818BD7208F24C45079BBBF2BF85318F158A2ED9DC97781D735990ACB82
    Function 6CF86E50 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1776772057.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 0000000C.00000002.1776692943.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777045341.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777119078.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777210398.000000006CF8F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777293899.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777566527.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777755947.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777837037.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777897930.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777968017.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 0$@
    • API String ID: 0-1545510068
    • Opcode ID: db53b3412e21b14b64fd966cdfaba44a868fe3b057c10bed8708d4ee68713ec0
    • Instruction ID: a728d74fd2168e3f97b1d7923dc298016f66a225eb8eba2bb585d5d5a5b396b0
    • Opcode Fuzzy Hash: db53b3412e21b14b64fd966cdfaba44a868fe3b057c10bed8708d4ee68713ec0
    • Instruction Fuzzy Hash: CDC16E72F166158BDB05CF6CC88078EBBF1AF89318F25825AE854AB785D335E845CB90
    Function 6CF8CD90 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1776772057.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 0000000C.00000002.1776692943.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777045341.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777119078.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777210398.000000006CF8F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777293899.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777566527.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777755947.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777837037.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777897930.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777968017.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleModule
    • String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
    • API String ID: 667068680-1145701848
    • Opcode ID: 9165e02c0d5c413410b65c67129509982cc8fc60e65ed26c9c1356bee656915f
    • Instruction ID: 540675f90cab8332c6c8a85692c8f26cd982d579c2518a9ebf6293e8f9f3bae0
    • Opcode Fuzzy Hash: 9165e02c0d5c413410b65c67129509982cc8fc60e65ed26c9c1356bee656915f
    • Instruction Fuzzy Hash: CDF06DB294A3218BAF00BF3C5A0535A7EF4AA09210F11463AD899CB604E734D444CBE3
    Function 6CEF1020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CEF1281,?,?,?,?,?,?,6CEF13AE), ref: 6CEF1057
    • _amsg_exit.MSVCRT ref: 6CEF1086
    Memory Dump Source
    • Source File: 0000000C.00000002.1776772057.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 0000000C.00000002.1776692943.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777045341.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777119078.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777210398.000000006CF8F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777293899.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777566527.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777755947.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777837037.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777897930.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777968017.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: 43d9f652e09509c79f01a306d77103af17ad51d30d90de0f0b65e4b63bb93e3e
    • Instruction ID: ac4d14de0c4374616a55e3767db4ef2ccda9d99ffaf4c6f985d8a34f765732c7
    • Opcode Fuzzy Hash: 43d9f652e09509c79f01a306d77103af17ad51d30d90de0f0b65e4b63bb93e3e
    • Instruction Fuzzy Hash: CF3192F1A092858BEB40AFA9C58432A77F4EB87748F21852DD4648BB00D735C446EB93
    Function 6CF8C7C0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000C.00000002.1776772057.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 0000000C.00000002.1776692943.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777045341.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777119078.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777210398.000000006CF8F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777293899.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777566527.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777755947.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777837037.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777897930.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777968017.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 01cfb712d85b6e4d619ce68922cd4ea2a4d205ce6739300ed457df455a6d115e
    • Instruction ID: f3bb1f21314fdd0154e27408e990e932a4a3e639ba80fed6e080186a0dfc991f
    • Opcode Fuzzy Hash: 01cfb712d85b6e4d619ce68922cd4ea2a4d205ce6739300ed457df455a6d115e
    • Instruction Fuzzy Hash: 90114C715062018FDB40AF29C48075ABBF0FF4A714F55C669D898CFB45EB74C844CBA2
    Function 6CF85FC0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6CF85FF0
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CF846F9), ref: 6CF85FFC
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CF846F9), ref: 6CF8600E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CF846F9), ref: 6CF8601E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CF846F9), ref: 6CF86030
    Memory Dump Source
    • Source File: 0000000C.00000002.1776772057.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 0000000C.00000002.1776692943.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777045341.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777119078.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777210398.000000006CF8F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777293899.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777566527.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777755947.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777837037.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777897930.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777968017.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: be700dd0750c195e9322cc5fe26cf98500fb1e3d9177b6946e5ad70ecb75fc27
    • Instruction ID: 959ac492b9f7d86bbee468685cf0b092c55d3236f5737d67dd5f20e3b2f62185
    • Opcode Fuzzy Hash: be700dd0750c195e9322cc5fe26cf98500fb1e3d9177b6946e5ad70ecb75fc27
    • Instruction Fuzzy Hash: 7201B5B15083A5CFEB00FF7DC58A62ABBF4AF96214F01062DE89147604E730A408CBA3
    Function 6CF85E90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6CF85EB2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CF85F65), ref: 6CF85ECB
    • abort.MSVCRT ref: 6CF85EF5
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6CF85EE5
    Memory Dump Source
    • Source File: 0000000C.00000002.1776772057.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 0000000C.00000002.1776692943.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777045341.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777119078.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777210398.000000006CF8F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777293899.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777566527.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777755947.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777837037.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777897930.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777968017.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabort
    • String ID: runtime: failed to create runtime initialization wait event.
    • API String ID: 3843693739-3277801083
    • Opcode ID: b3bac91d1106590ed55063d9d19b96862011214f028ce47c9cc0f35fd917b762
    • Instruction ID: a4f820533e07fb0dad6fd267e14fc979985370b59ad493204d69cbd40b644d86
    • Opcode Fuzzy Hash: b3bac91d1106590ed55063d9d19b96862011214f028ce47c9cc0f35fd917b762
    • Instruction Fuzzy Hash: 55F0B7B080A7518BEB00BF78C50936EBAF0BF45744F85895CD49A87640EB79D1488BA3
    Function 6CF8C8F0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
    Download Yara Rule
    APIs
    • IsDBCSLeadByteEx.KERNEL32 ref: 6CF8C942
    • MultiByteToWideChar.KERNEL32 ref: 6CF8C985
    Memory Dump Source
    • Source File: 0000000C.00000002.1776772057.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 0000000C.00000002.1776692943.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777045341.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777119078.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777210398.000000006CF8F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777293899.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777566527.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777755947.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777837037.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777897930.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777968017.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: Byte$CharLeadMultiWide
    • String ID:
    • API String ID: 2561704868-0
    • Opcode ID: 19bb6ebc0aa0fc7ffa583653e4cada1617596142f05da3d8fef033a13e6a5ea4
    • Instruction ID: 72daa76c3100587aba7e60d64cc62a1bee72441b66a717258a775e15a8bbbb75
    • Opcode Fuzzy Hash: 19bb6ebc0aa0fc7ffa583653e4cada1617596142f05da3d8fef033a13e6a5ea4
    • Instruction Fuzzy Hash: 613104B150A3418FD700EF29D08431ABBF0BF8A358F048A5EE9D58B650E3B6D948CB43
    Function 6CF866A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1776772057.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 0000000C.00000002.1776692943.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777045341.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777119078.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777210398.000000006CF8F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777293899.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777566527.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777755947.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777837037.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777897930.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777968017.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: fputc
    • String ID: NaN
    • API String ID: 1992160199-1757892521
    • Opcode ID: cf7614440ec6851ca82ea40031330610d20ebf86e678fa2553d9f1a1c36698a7
    • Instruction ID: de4ffece82b659c3999d97920b9d5a655d618de468e2ba729b5d8bdb76a4467b
    • Opcode Fuzzy Hash: cf7614440ec6851ca82ea40031330610d20ebf86e678fa2553d9f1a1c36698a7
    • Instruction Fuzzy Hash: AA4126B5A16215CBDB10CF18C48474AB7F1AF89708B2983A9EC48CF74AD736D846CBD0
    Function 6CF8A850 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,?,6CF8A971,?,?,?,?,?,?,00000000,6CF88C14), ref: 6CF8A877
    • InitializeCriticalSection.KERNEL32(?,?,?,?,6CF8A971,?,?,?,?,?,?,00000000,6CF88C14), ref: 6CF8A8B4
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,6CF8A971,?,?,?,?,?,?,00000000,6CF88C14), ref: 6CF8A8C0
    • EnterCriticalSection.KERNEL32(?,?,?,?,6CF8A971,?,?,?,?,?,?,00000000,6CF88C14), ref: 6CF8A8E8
    Memory Dump Source
    • Source File: 0000000C.00000002.1776772057.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 0000000C.00000002.1776692943.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777045341.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777119078.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777210398.000000006CF8F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777293899.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777566527.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777617372.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777755947.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777837037.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777897930.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1777968017.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$Initialize$EnterSleep
    • String ID:
    • API String ID: 1117354567-0
    • Opcode ID: 540c5cf1ee1be65ab917d047ca51c303a16ffec0435d009fb0bfb08f05bd5511
    • Instruction ID: ac019cd42481c93857e5006ce8af4820ffe0903004bdea6cd7a5d60dee1c5b93
    • Opcode Fuzzy Hash: 540c5cf1ee1be65ab917d047ca51c303a16ffec0435d009fb0bfb08f05bd5511
    • Instruction Fuzzy Hash: F21180B1C061858FEF00AB28D4CA36A77F4EF46354FA50529C862C7684E731D58AD7A3

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:3
    Total number of Limit Nodes:0
    execution_graph 43246 6cf5cfc0 43247 6cf5cfd9 43246->43247 43248 6cf5cfe8 VirtualAlloc 43246->43248 43247->43248

    Executed Functions

    Function 6CF5CFC0 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 6cf5cfc0-6cf5cfd7 1 6cf5cfd9-6cf5cfe6 0->1 2 6cf5cfe8-6cf5d000 VirtualAlloc 0->2 1->2
    APIs
    Memory Dump Source
    • Source File: 00000010.00000002.1773781895.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 00000010.00000002.1773659422.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774091231.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774197457.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774312346.000000006CF92000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774409309.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774725305.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774986237.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775068865.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775156072.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775235977.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: a174bcfb58dbe82d36da09385f8bd915b1580faa55592a59090fa2b39c44bba0
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 6CE0E571505600CFCB15DF18C2C170ABBE1EB88A00F4485A8DE098FB4AD734ED10CB92

    Non-executed Functions

    Function 6CF8B7C0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1167 6cf8b7c0-6cf8b830 call 6cf8c560 fwrite call 6cf8c560 vfprintf abort 1173 6cf8b940-6cf8b942 1167->1173 1174 6cf8b836-6cf8b83d 1167->1174 1175 6cf8b85e-6cf8b86a call 6cf8c010 1173->1175 1176 6cf8b840-6cf8b844 1174->1176 1182 6cf8b870-6cf8b8b6 call 6cf8c150 VirtualQuery 1175->1182 1183 6cf8b967-6cf8b991 call 6cf8b7c0 1175->1183 1177 6cf8b854-6cf8b85c 1176->1177 1178 6cf8b846-6cf8b84e 1176->1178 1177->1175 1177->1176 1178->1177 1180 6cf8b8d7-6cf8b8dd 1178->1180 1188 6cf8b8bc-6cf8b8c6 1182->1188 1189 6cf8b947-6cf8b95e 1182->1189 1194 6cf8b9a0-6cf8b9e9 call 6cf8c090 call 6cf8c450 1183->1194 1195 6cf8b993-6cf8b99a 1183->1195 1192 6cf8b8c8-6cf8b8ce 1188->1192 1193 6cf8b8d0 1188->1193 1189->1183 1191 6cf8b962 call 6cf8b7c0 1189->1191 1191->1183 1192->1193 1196 6cf8b8e0-6cf8b91e VirtualProtect 1192->1196 1193->1180 1194->1195 1204 6cf8b9eb-6cf8b9f4 1194->1204 1196->1193 1199 6cf8b920-6cf8b93d GetLastError call 6cf8b7c0 1196->1199 1199->1173 1205 6cf8b9fa 1204->1205 1206 6cf8bab0-6cf8bab2 1204->1206 1209 6cf8b9ff-6cf8ba03 1205->1209 1207 6cf8bc28 1206->1207 1208 6cf8bab8-6cf8baca 1206->1208 1210 6cf8bc2d-6cf8bc33 1207->1210 1208->1209 1211 6cf8bad0-6cf8bad5 1208->1211 1209->1210 1212 6cf8ba09 1209->1212 1210->1195 1214 6cf8bc39-6cf8bc3c 1210->1214 1213 6cf8ba0c-6cf8ba0e 1211->1213 1212->1213 1213->1210 1215 6cf8ba14-6cf8ba1a 1213->1215 1216 6cf8bc40-6cf8bc65 call 6cf8b820 1214->1216 1218 6cf8bc6f-6cf8bc9f call 6cf8b7c0 EnterCriticalSection 1215->1218 1219 6cf8ba20-6cf8ba29 1215->1219 1223 6cf8bc67 1216->1223 1228 6cf8bca1-6cf8bcad 1218->1228 1229 6cf8bcd5-6cf8bcec LeaveCriticalSection 1218->1229 1219->1195 1221 6cf8ba2f-6cf8ba32 1219->1221 1224 6cf8ba38-6cf8ba5e 1221->1224 1223->1218 1226 6cf8bb00-6cf8bb10 1224->1226 1227 6cf8ba64-6cf8ba67 1224->1227 1230 6cf8bb12 1226->1230 1231 6cf8bb17-6cf8bb20 1226->1231 1232 6cf8ba69-6cf8ba7c 1227->1232 1233 6cf8bae0-6cf8bae3 1227->1233 1234 6cf8bcb0-6cf8bcc0 TlsGetValue GetLastError 1228->1234 1230->1231 1235 6cf8bb3a-6cf8bb42 call 6cf8b820 1231->1235 1236 6cf8bb22-6cf8bb28 1231->1236 1237 6cf8bc10-6cf8bc1e call 6cf8b820 1232->1237 1238 6cf8ba82-6cf8ba84 1232->1238 1241 6cf8bae9-6cf8baf9 call 6cf8b7c0 1233->1241 1242 6cf8bbc0-6cf8bbcf 1233->1242 1239 6cf8bcce-6cf8bcd3 1234->1239 1240 6cf8bcc2-6cf8bcc4 1234->1240 1260 6cf8bb49-6cf8bb52 1235->1260 1246 6cf8ba8a-6cf8baac call 6cf8b7c0 1236->1246 1247 6cf8bb2e-6cf8bb34 1236->1247 1237->1260 1238->1237 1238->1246 1239->1229 1239->1234 1240->1239 1250 6cf8bcc6-6cf8bcc9 1240->1250 1241->1226 1244 6cf8bbd1 1242->1244 1245 6cf8bbd6-6cf8bbdf 1242->1245 1244->1245 1252 6cf8bbe1-6cf8bbe7 1245->1252 1253 6cf8bbf6-6cf8bc06 call 6cf8b820 1245->1253 1246->1206 1247->1235 1247->1246 1250->1239 1252->1246 1257 6cf8bbed-6cf8bbf0 1252->1257 1253->1260 1257->1246 1257->1253 1260->1224 1262 6cf8bb58-6cf8bb63 1260->1262 1262->1195 1263 6cf8bb69-6cf8bb72 1262->1263 1264 6cf8bb78-6cf8bb88 1263->1264 1265 6cf8bb8a-6cf8bba1 VirtualProtect 1264->1265 1266 6cf8bba4-6cf8bbad 1264->1266 1265->1266 1266->1264 1267 6cf8bbaf-6cf8bbb6 1266->1267
    APIs
    Strings
    • VirtualProtect failed with code 0x%x, xrefs: 6CF8B926
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6CF8B957
    • Address %p has no image-section, xrefs: 6CF8B96B
    • Mingw-w64 runtime failure:, xrefs: 6CF8B7E8
    Memory Dump Source
    • Source File: 00000010.00000002.1773781895.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 00000010.00000002.1773659422.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774091231.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774197457.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774312346.000000006CF92000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774409309.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774725305.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774986237.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775068865.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775156072.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775235977.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtualabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
    • API String ID: 2513968241-1534286854
    • Opcode ID: 4c4563942ba96569439412127293cd26920d89bb61693064d6eccaeaf4e15267
    • Instruction ID: 7d12a90f9db4a33adda5b047453678d76360716629e54b1f59577f8496ba3b39
    • Opcode Fuzzy Hash: 4c4563942ba96569439412127293cd26920d89bb61693064d6eccaeaf4e15267
    • Instruction Fuzzy Hash: 74514AB19063059FDB00EF29C88975ABBF0FF85718F558A1DE8989B710D734E449CB92
    Function 6CF8B980 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 226COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2086 6cf8b980-6cf8b991 2087 6cf8b9a0-6cf8b9e9 call 6cf8c090 call 6cf8c450 2086->2087 2088 6cf8b993-6cf8b99a 2086->2088 2087->2088 2093 6cf8b9eb-6cf8b9f4 2087->2093 2094 6cf8b9fa 2093->2094 2095 6cf8bab0-6cf8bab2 2093->2095 2098 6cf8b9ff-6cf8ba03 2094->2098 2096 6cf8bc28 2095->2096 2097 6cf8bab8-6cf8baca 2095->2097 2099 6cf8bc2d-6cf8bc33 2096->2099 2097->2098 2100 6cf8bad0-6cf8bad5 2097->2100 2098->2099 2101 6cf8ba09 2098->2101 2099->2088 2103 6cf8bc39-6cf8bc3c 2099->2103 2102 6cf8ba0c-6cf8ba0e 2100->2102 2101->2102 2102->2099 2104 6cf8ba14-6cf8ba1a 2102->2104 2105 6cf8bc40-6cf8bc65 call 6cf8b820 2103->2105 2107 6cf8bc6f-6cf8bc9f call 6cf8b7c0 EnterCriticalSection 2104->2107 2108 6cf8ba20-6cf8ba29 2104->2108 2112 6cf8bc67 2105->2112 2117 6cf8bca1-6cf8bcad 2107->2117 2118 6cf8bcd5-6cf8bcec LeaveCriticalSection 2107->2118 2108->2088 2110 6cf8ba2f-6cf8ba32 2108->2110 2113 6cf8ba38-6cf8ba5e 2110->2113 2112->2107 2115 6cf8bb00-6cf8bb10 2113->2115 2116 6cf8ba64-6cf8ba67 2113->2116 2119 6cf8bb12 2115->2119 2120 6cf8bb17-6cf8bb20 2115->2120 2121 6cf8ba69-6cf8ba7c 2116->2121 2122 6cf8bae0-6cf8bae3 2116->2122 2123 6cf8bcb0-6cf8bcc0 TlsGetValue GetLastError 2117->2123 2119->2120 2124 6cf8bb3a-6cf8bb42 call 6cf8b820 2120->2124 2125 6cf8bb22-6cf8bb28 2120->2125 2126 6cf8bc10-6cf8bc1e call 6cf8b820 2121->2126 2127 6cf8ba82-6cf8ba84 2121->2127 2130 6cf8bae9-6cf8baf9 call 6cf8b7c0 2122->2130 2131 6cf8bbc0-6cf8bbcf 2122->2131 2128 6cf8bcce-6cf8bcd3 2123->2128 2129 6cf8bcc2-6cf8bcc4 2123->2129 2149 6cf8bb49-6cf8bb52 2124->2149 2135 6cf8ba8a-6cf8baac call 6cf8b7c0 2125->2135 2136 6cf8bb2e-6cf8bb34 2125->2136 2126->2149 2127->2126 2127->2135 2128->2118 2128->2123 2129->2128 2139 6cf8bcc6-6cf8bcc9 2129->2139 2130->2115 2133 6cf8bbd1 2131->2133 2134 6cf8bbd6-6cf8bbdf 2131->2134 2133->2134 2141 6cf8bbe1-6cf8bbe7 2134->2141 2142 6cf8bbf6-6cf8bc06 call 6cf8b820 2134->2142 2135->2095 2136->2124 2136->2135 2139->2128 2141->2135 2146 6cf8bbed-6cf8bbf0 2141->2146 2142->2149 2146->2135 2146->2142 2149->2113 2151 6cf8bb58-6cf8bb63 2149->2151 2151->2088 2152 6cf8bb69-6cf8bb72 2151->2152 2153 6cf8bb78-6cf8bb88 2152->2153 2154 6cf8bb8a-6cf8bba1 VirtualProtect 2153->2154 2155 6cf8bba4-6cf8bbad 2153->2155 2154->2155 2155->2153 2156 6cf8bbaf-6cf8bbb6 2155->2156
    Strings
    • Unknown pseudo relocation bit size %d., xrefs: 6CF8BAED
    • %d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6CF8BAA0
    • Unknown pseudo relocation protocol version %d., xrefs: 6CF8BC73
    Memory Dump Source
    • Source File: 00000010.00000002.1773781895.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 00000010.00000002.1773659422.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774091231.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774197457.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774312346.000000006CF92000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774409309.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774725305.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774986237.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775068865.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775156072.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775235977.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
    • API String ID: 0-1286557213
    • Opcode ID: d949f6fe8ec7396fcd6579594996e1ed138e9a1d396b315fcff3f9d44af55458
    • Instruction ID: 8255ae920d6ffc26e510e4c8239fbd41e8c78836a6db80a377ccbfa490d56fa4
    • Opcode Fuzzy Hash: d949f6fe8ec7396fcd6579594996e1ed138e9a1d396b315fcff3f9d44af55458
    • Instruction Fuzzy Hash: F4918D72D062168FDF10DF69CC84B9AB7B5FF45308F158A29D854AB718D330E9458BD2
    Function 6CF868E0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1773781895.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 00000010.00000002.1773659422.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774091231.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774197457.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774312346.000000006CF92000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774409309.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774725305.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774986237.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775068865.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775156072.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775235977.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: memset
    • String ID: 0$o
    • API String ID: 2221118986-4157579757
    • Opcode ID: ebefbe6945bd7e9b28a0da70524577bbcc1c22ea509cf173d45d016b6e072430
    • Instruction ID: 9a5a6fa6dad1b016cef6ee6465bbc931ee680e2e26959fd4368666922799f497
    • Opcode Fuzzy Hash: ebefbe6945bd7e9b28a0da70524577bbcc1c22ea509cf173d45d016b6e072430
    • Instruction Fuzzy Hash: D1F18172A162098FCB05CF69C48079DBBF2BF89364F19C229E854EB791D734E945CB90
    Function 6CEF13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1773781895.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 00000010.00000002.1773659422.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774091231.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774197457.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774312346.000000006CF92000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774409309.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774725305.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774986237.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775068865.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775156072.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775235977.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: ee40be3585ae22b1741b07161e1985870c295a81b07e792b95cdc70b71da02c0
    • Instruction ID: b5f31828166d95efad4ac02e6dbb32592871c94c509bc6795e6a8a042c1c7a65
    • Opcode Fuzzy Hash: ee40be3585ae22b1741b07161e1985870c295a81b07e792b95cdc70b71da02c0
    • Instruction Fuzzy Hash: 2F0171B19093558BDB00BFB8A50632EBFF4AB86654F02442DD99987614D731C415CBA3
    Function 6CF88050 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1773781895.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 00000010.00000002.1773659422.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774091231.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774197457.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774312346.000000006CF92000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774409309.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774725305.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774986237.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775068865.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775156072.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775235977.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: _errno
    • String ID: @$Inf$NaN
    • API String ID: 2918714741-141429178
    • Opcode ID: a366e645d697e1a784747b0882eadbdd134833f226e6dfa1f169e61c86ac4f76
    • Instruction ID: bf370b9b654e254ca43c728a89dc67a5cd5637e654eddd8d0c0ff3850158a2a1
    • Opcode Fuzzy Hash: a366e645d697e1a784747b0882eadbdd134833f226e6dfa1f169e61c86ac4f76
    • Instruction Fuzzy Hash: C5F1D37160E7818BD7208F24C45079BBBF2BF85318F158A2ED9DC97781D735990ACB82
    Function 6CF86E50 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1773781895.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 00000010.00000002.1773659422.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774091231.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774197457.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774312346.000000006CF92000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774409309.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774725305.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774986237.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775068865.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775156072.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775235977.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 0$@
    • API String ID: 0-1545510068
    • Opcode ID: db53b3412e21b14b64fd966cdfaba44a868fe3b057c10bed8708d4ee68713ec0
    • Instruction ID: a728d74fd2168e3f97b1d7923dc298016f66a225eb8eba2bb585d5d5a5b396b0
    • Opcode Fuzzy Hash: db53b3412e21b14b64fd966cdfaba44a868fe3b057c10bed8708d4ee68713ec0
    • Instruction Fuzzy Hash: CDC16E72F166158BDB05CF6CC88078EBBF1AF89318F25825AE854AB785D335E845CB90
    Function 6CF8CD90 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1773781895.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 00000010.00000002.1773659422.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774091231.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774197457.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774312346.000000006CF92000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774409309.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774725305.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774986237.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775068865.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775156072.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775235977.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleModule
    • String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
    • API String ID: 667068680-1145701848
    • Opcode ID: 9165e02c0d5c413410b65c67129509982cc8fc60e65ed26c9c1356bee656915f
    • Instruction ID: 540675f90cab8332c6c8a85692c8f26cd982d579c2518a9ebf6293e8f9f3bae0
    • Opcode Fuzzy Hash: 9165e02c0d5c413410b65c67129509982cc8fc60e65ed26c9c1356bee656915f
    • Instruction Fuzzy Hash: CDF06DB294A3218BAF00BF3C5A0535A7EF4AA09210F11463AD899CB604E734D444CBE3
    Function 6CEF1020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CEF1281,?,?,?,?,?,?,6CEF13AE), ref: 6CEF1057
    • _amsg_exit.MSVCRT ref: 6CEF1086
    Memory Dump Source
    • Source File: 00000010.00000002.1773781895.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 00000010.00000002.1773659422.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774091231.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774197457.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774312346.000000006CF92000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774409309.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774725305.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774986237.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775068865.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775156072.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775235977.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: 43d9f652e09509c79f01a306d77103af17ad51d30d90de0f0b65e4b63bb93e3e
    • Instruction ID: ac4d14de0c4374616a55e3767db4ef2ccda9d99ffaf4c6f985d8a34f765732c7
    • Opcode Fuzzy Hash: 43d9f652e09509c79f01a306d77103af17ad51d30d90de0f0b65e4b63bb93e3e
    • Instruction Fuzzy Hash: CF3192F1A092858BEB40AFA9C58432A77F4EB87748F21852DD4648BB00D735C446EB93
    Function 6CF8C7C0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000010.00000002.1773781895.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 00000010.00000002.1773659422.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774091231.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774197457.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774312346.000000006CF92000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774409309.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774725305.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774986237.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775068865.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775156072.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775235977.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 01cfb712d85b6e4d619ce68922cd4ea2a4d205ce6739300ed457df455a6d115e
    • Instruction ID: f3bb1f21314fdd0154e27408e990e932a4a3e639ba80fed6e080186a0dfc991f
    • Opcode Fuzzy Hash: 01cfb712d85b6e4d619ce68922cd4ea2a4d205ce6739300ed457df455a6d115e
    • Instruction Fuzzy Hash: 90114C715062018FDB40AF29C48075ABBF0FF4A714F55C669D898CFB45EB74C844CBA2
    Function 6CF85FC0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6CF85FF0
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CF846F9), ref: 6CF85FFC
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CF846F9), ref: 6CF8600E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CF846F9), ref: 6CF8601E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CF846F9), ref: 6CF86030
    Memory Dump Source
    • Source File: 00000010.00000002.1773781895.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 00000010.00000002.1773659422.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774091231.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774197457.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774312346.000000006CF92000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774409309.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774725305.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774986237.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775068865.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775156072.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775235977.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: be700dd0750c195e9322cc5fe26cf98500fb1e3d9177b6946e5ad70ecb75fc27
    • Instruction ID: 959ac492b9f7d86bbee468685cf0b092c55d3236f5737d67dd5f20e3b2f62185
    • Opcode Fuzzy Hash: be700dd0750c195e9322cc5fe26cf98500fb1e3d9177b6946e5ad70ecb75fc27
    • Instruction Fuzzy Hash: 7201B5B15083A5CFEB00FF7DC58A62ABBF4AF96214F01062DE89147604E730A408CBA3
    Function 6CF85E90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6CF85EB2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CF85F65), ref: 6CF85ECB
    • abort.MSVCRT ref: 6CF85EF5
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6CF85EE5
    Memory Dump Source
    • Source File: 00000010.00000002.1773781895.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 00000010.00000002.1773659422.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774091231.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774197457.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774312346.000000006CF92000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774409309.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774725305.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774986237.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775068865.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775156072.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775235977.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabort
    • String ID: runtime: failed to create runtime initialization wait event.
    • API String ID: 3843693739-3277801083
    • Opcode ID: b3bac91d1106590ed55063d9d19b96862011214f028ce47c9cc0f35fd917b762
    • Instruction ID: a4f820533e07fb0dad6fd267e14fc979985370b59ad493204d69cbd40b644d86
    • Opcode Fuzzy Hash: b3bac91d1106590ed55063d9d19b96862011214f028ce47c9cc0f35fd917b762
    • Instruction Fuzzy Hash: 55F0B7B080A7518BEB00BF78C50936EBAF0BF45744F85895CD49A87640EB79D1488BA3
    Function 6CF8C8F0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
    Download Yara Rule
    APIs
    • IsDBCSLeadByteEx.KERNEL32 ref: 6CF8C942
    • MultiByteToWideChar.KERNEL32 ref: 6CF8C985
    Memory Dump Source
    • Source File: 00000010.00000002.1773781895.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 00000010.00000002.1773659422.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774091231.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774197457.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774312346.000000006CF92000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774409309.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774725305.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774986237.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775068865.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775156072.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775235977.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: Byte$CharLeadMultiWide
    • String ID:
    • API String ID: 2561704868-0
    • Opcode ID: 19bb6ebc0aa0fc7ffa583653e4cada1617596142f05da3d8fef033a13e6a5ea4
    • Instruction ID: 72daa76c3100587aba7e60d64cc62a1bee72441b66a717258a775e15a8bbbb75
    • Opcode Fuzzy Hash: 19bb6ebc0aa0fc7ffa583653e4cada1617596142f05da3d8fef033a13e6a5ea4
    • Instruction Fuzzy Hash: 613104B150A3418FD700EF29D08431ABBF0BF8A358F048A5EE9D58B650E3B6D948CB43
    Function 6CF866A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1773781895.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 00000010.00000002.1773659422.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774091231.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774197457.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774312346.000000006CF92000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774409309.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774725305.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774986237.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775068865.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775156072.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775235977.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: fputc
    • String ID: NaN
    • API String ID: 1992160199-1757892521
    • Opcode ID: cf7614440ec6851ca82ea40031330610d20ebf86e678fa2553d9f1a1c36698a7
    • Instruction ID: de4ffece82b659c3999d97920b9d5a655d618de468e2ba729b5d8bdb76a4467b
    • Opcode Fuzzy Hash: cf7614440ec6851ca82ea40031330610d20ebf86e678fa2553d9f1a1c36698a7
    • Instruction Fuzzy Hash: AA4126B5A16215CBDB10CF18C48474AB7F1AF89708B2983A9EC48CF74AD736D846CBD0
    Function 6CF8A850 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,?,6CF8A971,?,?,?,?,?,?,00000000,6CF88C14), ref: 6CF8A877
    • InitializeCriticalSection.KERNEL32(?,?,?,?,6CF8A971,?,?,?,?,?,?,00000000,6CF88C14), ref: 6CF8A8B4
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,6CF8A971,?,?,?,?,?,?,00000000,6CF88C14), ref: 6CF8A8C0
    • EnterCriticalSection.KERNEL32(?,?,?,?,6CF8A971,?,?,?,?,?,?,00000000,6CF88C14), ref: 6CF8A8E8
    Memory Dump Source
    • Source File: 00000010.00000002.1773781895.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
    • Associated: 00000010.00000002.1773659422.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774091231.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774197457.000000006CF8E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774312346.000000006CF92000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774409309.000000006CF94000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774725305.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774813261.000000006D048000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1774986237.000000006D05B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775068865.000000006D062000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775156072.000000006D063000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000010.00000002.1775235977.000000006D066000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_6cef0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$Initialize$EnterSleep
    • String ID:
    • API String ID: 1117354567-0
    • Opcode ID: 540c5cf1ee1be65ab917d047ca51c303a16ffec0435d009fb0bfb08f05bd5511
    • Instruction ID: ac019cd42481c93857e5006ce8af4820ffe0903004bdea6cd7a5d60dee1c5b93
    • Opcode Fuzzy Hash: 540c5cf1ee1be65ab917d047ca51c303a16ffec0435d009fb0bfb08f05bd5511
    • Instruction Fuzzy Hash: F21180B1C061858FEF00AB28D4CA36A77F4EF46354FA50529C862C7684E731D58AD7A3