Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LKwQJxGVXf.dll

Overview

General Information

Sample name:LKwQJxGVXf.dll
renamed because original name is a hash value
Original sample name:cf6015d5bc81bf146e340edf1702859f56eabbd0e85eb4c1e983939db9bcdd0f.dll
Analysis ID:1544803
MD5:2dbba73dbf326f0ea03d80bede21b467
SHA1:d8acc159a59cc07e0d7d6a3de7d7ba9df424c441
SHA256:cf6015d5bc81bf146e340edf1702859f56eabbd0e85eb4c1e983939db9bcdd0f
Tags:2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 2788 cmdline: loaddll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 3868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5300 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 6564 cmdline: rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 3628 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 836 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 4216 cmdline: rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 812 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 5688 cmdline: rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1020 cmdline: rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3788 cmdline: rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 6076 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 844 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 1520 cmdline: rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2796 cmdline: rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5676 cmdline: rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3224 cmdline: rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellSpell MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1476 cmdline: rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellInit MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4068 cmdline: rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellFree MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 984 cmdline: rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2920 cmdline: rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4336 cmdline: rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 88.0% probability

Bitcoin Miner

barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB814C0 3_2_6CB814C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE114C0 13_2_6CE114C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE114C0 17_2_6CE114C0
Source: LKwQJxGVXf.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: LKwQJxGVXf.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh3_2_6CB79DA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh3_2_6CB78A50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx3_2_6CB6CB60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov ebp, edi3_2_6CB53000
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh13_2_6CE09DA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh13_2_6CE08A50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx13_2_6CDFCB60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov ebp, edi13_2_6CDE3000
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh17_2_6CE09DA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh17_2_6CE08A50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx17_2_6CDFCB60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov ebp, edi17_2_6CDE3000
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB67DD03_2_6CB67DD0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB7AD003_2_6CB7AD00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB78E103_2_6CB78E10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB8CE403_2_6CB8CE40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB5BE4F3_2_6CB5BE4F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBA7FB03_2_6CBA7FB0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBC6FB03_2_6CBC6FB0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB608303_2_6CB60830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB658203_2_6CB65820
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBC29403_2_6CBC2940
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB7BAB03_2_6CB7BAB0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBD1A003_2_6CBD1A00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB7CA703_2_6CB7CA70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB5CA603_2_6CB5CA60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBC74903_2_6CBC7490
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB7C4603_2_6CB7C460
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBC55903_2_6CBC5590
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB7D5253_2_6CB7D525
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB7B5403_2_6CB7B540
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB536203_2_6CB53620
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBD16403_2_6CBD1640
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB7A7903_2_6CB7A790
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBAF7323_2_6CBAF732
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB967303_2_6CB96730
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBD37103_2_6CBD3710
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB730903_2_6CB73090
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB710D03_2_6CB710D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB530003_2_6CB53000
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB8E0403_2_6CB8E040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB860403_2_6CB86040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB761A03_2_6CB761A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB7C1003_2_6CB7C100
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBC51003_2_6CBC5100
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB592E03_2_6CB592E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBC62403_2_6CBC6240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDF7DD013_2_6CDF7DD0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE0AD0013_2_6CE0AD00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDEBE4F13_2_6CDEBE4F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE1CE4013_2_6CE1CE40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE08E1013_2_6CE08E10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE37FB013_2_6CE37FB0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE56FB013_2_6CE56FB0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDF083013_2_6CDF0830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDF582013_2_6CDF5820
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE5294013_2_6CE52940
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE0BAB013_2_6CE0BAB0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE0CA7013_2_6CE0CA70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDECA6013_2_6CDECA60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE61A0013_2_6CE61A00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE5749013_2_6CE57490
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE0C46013_2_6CE0C460
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE5559013_2_6CE55590
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE0B54013_2_6CE0B540
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE0D52513_2_6CE0D525
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE6164013_2_6CE61640
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDE362013_2_6CDE3620
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE0A79013_2_6CE0A790
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE3F73213_2_6CE3F732
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE2673013_2_6CE26730
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE6371013_2_6CE63710
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE010D013_2_6CE010D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE0309013_2_6CE03090
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE1E04013_2_6CE1E040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE1604013_2_6CE16040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDE300013_2_6CDE3000
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE061A013_2_6CE061A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE0C10013_2_6CE0C100
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE5510013_2_6CE55100
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDE92E013_2_6CDE92E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE5624013_2_6CE56240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDF7DD017_2_6CDF7DD0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE0AD0017_2_6CE0AD00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDEBE4F17_2_6CDEBE4F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE1CE4017_2_6CE1CE40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE08E1017_2_6CE08E10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE37FB017_2_6CE37FB0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE56FB017_2_6CE56FB0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDF083017_2_6CDF0830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDF582017_2_6CDF5820
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE5294017_2_6CE52940
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE0BAB017_2_6CE0BAB0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE0CA7017_2_6CE0CA70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDECA6017_2_6CDECA60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE61A0017_2_6CE61A00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE5749017_2_6CE57490
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE0C46017_2_6CE0C460
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE5559017_2_6CE55590
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE0B54017_2_6CE0B540
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE0D52517_2_6CE0D525
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE6164017_2_6CE61640
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDE362017_2_6CDE3620
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE0A79017_2_6CE0A790
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE3F73217_2_6CE3F732
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE2673017_2_6CE26730
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE6371017_2_6CE63710
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE010D017_2_6CE010D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE0309017_2_6CE03090
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE1E04017_2_6CE1E040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE1604017_2_6CE16040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDE300017_2_6CDE3000
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE061A017_2_6CE061A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE0C10017_2_6CE0C100
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE5510017_2_6CE55100
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDE92E017_2_6CDE92E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE5624017_2_6CE56240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CDEF4D0 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CE13620 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CB84FD0 appears 461 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CE14FD0 appears 922 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CE17450 appears 1374 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CE150A0 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CDE2F90 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CB87450 appears 687 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 836
Source: LKwQJxGVXf.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engineClassification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBD4310 GetLastError,FormatMessageA,fprintf,LocalFree,3_2_6CBD4310
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3868:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\e917f5ba-49e8-4fad-b18f-f2b504d24a2eJump to behavior
Source: LKwQJxGVXf.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarCreate
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 836
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 812
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 844
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",_cgo_dummy_exportJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellSpellJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellInitJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellFreeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SignalInitializeCrashReportingJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",GetInstallDetailsPayloadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarRecognizeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: LKwQJxGVXf.dllStatic PE information: Image base 0x6d8c0000 > 0x60000000
Source: LKwQJxGVXf.dllStatic file information: File size 1198080 > 1048576
Source: LKwQJxGVXf.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB513E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,3_2_6CB513E0
Source: LKwQJxGVXf.dllStatic PE information: real checksum: 0x13151e should be: 0x130042
Source: LKwQJxGVXf.dllStatic PE information: section name: .eh_fram
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC46FBD push cs; ret 3_2_6CC46FC5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC459F2 push es; iretd 3_2_6CC45A0F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC476AA push ebx; iretd 3_2_6CC479EB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0483B9AB push es; iretd 4_2_0483B9AE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0483AEB4 push ecx; ret 4_2_0483AED6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04C38FC3 push es; ret 11_2_04C38FC6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04C38F4F push es; ret 11_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04C38F53 push es; ret 11_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04C38F3B push es; ret 11_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CED6FBD push cs; ret 13_2_6CED6FC5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CED59F2 push es; iretd 13_2_6CED5A0F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CED76AA push ebx; iretd 13_2_6CED79EB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04C38FC3 push es; ret 14_2_04C38FC6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04C3B60B push esi; iretd 14_2_04C3B982
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04C38F4F push es; ret 14_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04C3A217 push ds; ret 14_2_04C3A3B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04C3A3B7 push 0004C303h; ret 14_2_04C3A58A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04C38F3B push es; ret 14_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04C3A378 push ds; ret 14_2_04C3A3B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0483A9E2 push edx; ret 15_2_0483A9E3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0483AEA9 push cs; ret 15_2_0483AEC7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CED6FBD push cs; ret 17_2_6CED6FC5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CED59F2 push es; iretd 17_2_6CED5A0F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CED76AA push ebx; iretd 17_2_6CED79EB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04C38FC3 push es; ret 19_2_04C38FC6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04C38FA1 push es; ret 19_2_04C38FAA
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04C3A473 push 0004C303h; ret 19_2_04C3A58A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_04C38FC3 push es; ret 22_2_04C38FC6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_04C38F4F push es; ret 22_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_04C3A418 pushad ; iretd 22_2_04C3A419
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_04C38F3B push es; ret 22_2_04C38F4A
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBB0F80 rdtscp 3_2_6CBB0F80
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: rundll32.exe, 0000000E.00000002.2229264812.0000000002D6A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: rundll32.exe, 00000013.00000002.2232490236.0000000002ADA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: rundll32.exe, 00000018.00000002.2238595309.000000000315A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: rundll32.exe, 00000015.00000002.2234698661.000000000064A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
Source: loaddll32.exe, 00000000.00000002.2237856869.0000000000666000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2140730643.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2139546766.000000000080A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2166605305.0000000002ACA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2197069812.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2232731511.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2230203030.000000000061A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.2233926444.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.2234749334.0000000002C3A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2237851825.0000000002E7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBB0F80 rdtscp 3_2_6CBB0F80
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB513E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,3_2_6CB513E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBD3630 free,free,GetProcessHeap,HeapFree,3_2_6CBD3630
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBD4AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,3_2_6CBD4AE0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBD4ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,3_2_6CBD4ADC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE64AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,13_2_6CE64AE0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CE64ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,13_2_6CE64ADC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE64AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,17_2_6CE64AE0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CE64ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,17_2_6CE64ADC
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBD4A30 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,3_2_6CBD4A30

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		11
Process Injection		1
Rundll32		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Virtualization/Sandbox Evasion		LSASS Memory31
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS2
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544803 Sample: LKwQJxGVXf.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->29 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
LKwQJxGVXf.dll3%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1544803
Start date and time:2024-10-29 19:09:41 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 37s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:27
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:LKwQJxGVXf.dll
renamed because original name is a hash value
Original Sample Name:cf6015d5bc81bf146e340edf1702859f56eabbd0e85eb4c1e983939db9bcdd0f.dll
Detection:MAL
Classification:mal48.mine.winDLL@35/0@0/0
EGA Information:
  • Successful, ratio: 20%
HCA Information:
  • Successful, ratio: 55%
  • Number of executed functions: 6
  • Number of non-executed functions: 103
Cookbook Comments:
  • Found application associated with file extension: .dll

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target loaddll32.exe, PID 2788 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 1020 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 1476 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 1520 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 2796 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 2920 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 3224 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 4068 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 4336 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 5688 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6564 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 984 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • VT rate limit hit for: LKwQJxGVXf.dll

Simulations

Behavior and APIs

TimeTypeDescription
14:10:50API Interceptor1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):6.271647013145316
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:LKwQJxGVXf.dll
File size:1'198'080 bytes
MD5:2dbba73dbf326f0ea03d80bede21b467
SHA1:d8acc159a59cc07e0d7d6a3de7d7ba9df424c441
SHA256:cf6015d5bc81bf146e340edf1702859f56eabbd0e85eb4c1e983939db9bcdd0f
SHA512:c3621db702ca9eeb2fbdf4d6043de00374190c7ab9312f7e649fb77936cd566c1604403bf0020801f870930fa01dac56a4fe6e00743905b9e53ab5d4d11b188e
SSDEEP:24576:frbCmQfL/VgFKdx7JAkqi57hJU99mKjqjw+3j:fwlrYitz
TLSH:F2452800FD8784F1E5072672A96B62AF3735AE050F319BC7FA54BA79F6732D11832285
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....L...D...F...........`.....m......................................@... ......................@..-..

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x6d8c1380
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x6d8c0000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:0x6d944bc0, 0x6d944b70
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:a4a784e5029279463818b31167e8f38b

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [6DA23550h], 00000000h
mov edx, dword ptr [esp+24h]
cmp edx, 01h
je 00007FBF00E1DD9Ch
mov ecx, dword ptr [esp+28h]
mov eax, dword ptr [esp+20h]
call 00007FBF00E1DC02h
add esp, 1Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
mov dword ptr [esp+0Ch], edx
call 00007FBF00EA13FCh
mov edx, dword ptr [esp+0Ch]
jmp 00007FBF00E1DD59h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 6D9DF000h
mov dword ptr [esp+04h], eax
call 00007FBF00EA225Eh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 6D94D000h
call dword ptr [6DA25224h]
sub esp, 04h
test eax, eax
je 00007FBF00E1DDF5h
mov ebx, eax
mov dword ptr [esp], 6D94D000h
call dword ptr [6DA2526Ch]
mov edi, dword ptr [6DA2522Ch]
sub esp, 04h
mov dword ptr [6DA23584h], eax
mov dword ptr [esp+04h], 6D94D013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 6D94D029h
mov dword ptr [esp], ebx
call edi
mov dword ptr [6D946000h], eax
sub esp, 08h
test esi, esi
je 00007FBF00E1DD93h
mov dword ptr [esp+00h], 00000000h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x1640000x12d.edata
IMAGE_DIRECTORY_ENTRY_IMPORT0x1650000xb94.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1680000x72d8.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x11c6700x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x1651d00x194.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x84a980x84c00d9962cdf2e381bb01d1bc99b369f0f0fFalse0.4715288812382298data6.286244455039501IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x860000x60c80x62001814ed7444d51463d0e7ab81f6d6add5False0.42247289540816324data4.421138570897084IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0x8d0000x8fa400x8fc0059a329f8eae71b80a35d7c1bbe495b35False0.43648607336956524data5.59047199969179IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram0x11d0000x12740x14007e0c196a5297fcb1314a2ce26d210985False0.3359375data4.556527782531458IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss0x11f0000x4459c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata0x1640000x12d0x200413e4b4248816189509f7ffe80d08073False0.458984375data3.4189467598340144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata0x1650000xb940xc00e1ea2a2551376701992ead81eecc63e4False0.3958333333333333data5.069558373921308IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT0x1660000x2c0x20051289c22ed2d6bf0af49e9f6ae9824ceFalse0.0546875data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0x1670000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x1680000x72d80x74009de386119f3eeef3334964c2ca91ca76False0.6956155711206896data6.639051101916467IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllAddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetLastError, GetModuleHandleA, GetNativeSystemInfo, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadLocale, GetTickCount, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, PostQueuedCompletionStatus, QueryPerformanceCounter, RaiseFailFastException, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TerminateProcess, TlsAlloc, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WriteConsoleW, WriteFile, lstrlenA
msvcrt.dll_amsg_exit, _beginthread, _errno, _initterm, _iob, _lock, _unlock, _wcsnicmp, abort, bsearch, calloc, fprintf, free, fwrite, malloc, mbstowcs, memcpy, memset, qsort, realloc, strcmp, strlen, strncmp, strtol, vfprintf, wcstombs

Exports

NameOrdinalAddress
BarCreate10x6d942db0
BarDestroy20x6d943030
BarFreeRec30x6d942fe0
BarRecognize40x6d942f90
GetInstallDetailsPayload50x6d942ef0
SignalInitializeCrashReporting60x6d942f40
SpellFree70x6d942e00
SpellInit80x6d942e50
SpellSpell90x6d942ea0
_cgo_dummy_export100x6da23588

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:14:10:40
Start date:29/10/2024
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll"
Imagebase:0xfa0000
File size:126'464 bytes
MD5 hash:51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:14:10:40
Start date:29/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6d64d0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:14:10:40
Start date:29/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",#1
Imagebase:0x790000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:14:10:40
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarCreate
Imagebase:0xa20000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:14:10:40
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",#1
Imagebase:0xa20000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:14:10:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 836
Imagebase:0x610000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:10
Start time:14:10:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 812
Imagebase:0x610000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:11
Start time:14:10:43
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarDestroy
Imagebase:0xa20000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:12
Start time:14:10:46
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\LKwQJxGVXf.dll,BarFreeRec
Imagebase:0xa20000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:13
Start time:14:10:49
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarCreate
Imagebase:0xa20000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:14
Start time:14:10:49
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarDestroy
Imagebase:0xa20000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:15
Start time:14:10:50
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarFreeRec
Imagebase:0xa20000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:17
Start time:14:10:50
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",_cgo_dummy_export
Imagebase:0xa20000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:18
Start time:14:10:50
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 844
Imagebase:0x610000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:19
Start time:14:10:50
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellSpell
Imagebase:0xa20000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:20
Start time:14:10:50
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellInit
Imagebase:0xa20000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:21
Start time:14:10:50
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SpellFree
Imagebase:0xa20000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:22
Start time:14:10:50
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",SignalInitializeCrashReporting
Imagebase:0xa20000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:23
Start time:14:10:50
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",GetInstallDetailsPayload
Imagebase:0xa20000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:24
Start time:14:10:50
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\LKwQJxGVXf.dll",BarRecognize
Imagebase:0xa20000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:11
    Total number of Limit Nodes:1
    execution_graph 46451 6cbb1d40 46452 6cbb1d59 46451->46452 46453 6cbb1d68 WriteFile 46451->46453 46452->46453 46454 6cbd4790 46455 6cbd47a7 _beginthread 46454->46455 46456 6cbd47c1 _errno 46455->46456 46457 6cbd47f2 46455->46457 46458 6cbd47c8 _errno 46456->46458 46459 6cbd4800 Sleep 46456->46459 46461 6cbd47d9 fprintf abort 46458->46461 46459->46455 46460 6cbd4814 46459->46460 46460->46458 46461->46457

    Executed Functions

    Function 6CBD4790 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6CBD47D9
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabortfprintf
    • String ID: runtime: failed to create new OS thread (%d)
    • API String ID: 1261927973-3231778263
    • Opcode ID: a358e537ab497b09bf2382f2fdea7a283d58987ae5a42f57bb76e21b743ca2ee
    • Instruction ID: b0e7eb46142035d6791e8a9b646451c022dfa1c2352f37a6a9d78d15d87c6cac
    • Opcode Fuzzy Hash: a358e537ab497b09bf2382f2fdea7a283d58987ae5a42f57bb76e21b743ca2ee
    • Instruction Fuzzy Hash: 160169B550A3449FCB00BFA9D88911EBBB8EF86325F46491DE48843B11D732A488DE67
    Function 6CBB1D40 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 6cbb1d40-6cbb1d57 9 6cbb1d59-6cbb1d66 8->9 10 6cbb1d68-6cbb1d80 WriteFile 8->10 9->10
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: ca9168179598b6198dca085b123bab9db6333fc7d05c0c3da74601d214725457
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: C8E0E571505740CFCB15DF18C2C1316BBE1EB48A00F0485A8DE099FB4AD734ED10CB92

    Non-executed Functions

    Function 6CBD3710 Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 564memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 305 6cbd3710-6cbd3722 306 6cbd3728-6cbd3734 305->306 307 6cbd3b30-6cbd3b4e SetLastError 305->307 308 6cbd373a-6cbd3751 306->308 309 6cbd3b10-6cbd3b1f SetLastError 306->309 308->307 310 6cbd3757-6cbd3768 308->310 311 6cbd3b22-6cbd3b2e 309->311 310->309 312 6cbd376e-6cbd3778 310->312 312->309 313 6cbd377e-6cbd3787 312->313 313->309 314 6cbd378d-6cbd379b 313->314 315 6cbd37a1-6cbd37a3 314->315 316 6cbd3ef0-6cbd3ef2 314->316 317 6cbd37a5-6cbd37c3 315->317 317->317 318 6cbd37c5-6cbd37ef GetNativeSystemInfo 317->318 318->309 319 6cbd37f5-6cbd3827 318->319 321 6cbd382d-6cbd3853 GetProcessHeap HeapAlloc 319->321 322 6cbd3b50-6cbd3b83 319->322 323 6cbd3859-6cbd38c4 321->323 324 6cbd3f11-6cbd3f4a SetLastError 321->324 322->321 329 6cbd3b89-6cbd3b9b SetLastError 322->329 325 6cbd38ca-6cbd393c memcpy 323->325 326 6cbd3ba0-6cbd3bad SetLastError 323->326 324->311 333 6cbd39ca-6cbd39d5 325->333 334 6cbd3942-6cbd3944 325->334 330 6cbd3bb0-6cbd3bc6 call 6cbd3630 326->330 329->311 337 6cbd39db-6cbd39ea 333->337 338 6cbd3e40-6cbd3e4a 333->338 336 6cbd3946-6cbd394b 334->336 341 6cbd3951-6cbd395a 336->341 342 6cbd3bd0-6cbd3bdc 336->342 343 6cbd39f0-6cbd39fe 337->343 344 6cbd3c52-6cbd3c7a 337->344 339 6cbd3e4c-6cbd3e60 338->339 340 6cbd3ecb-6cbd3ece 338->340 345 6cbd3ec6 339->345 346 6cbd3e62-6cbd3e6e 339->346 350 6cbd395c-6cbd3988 341->350 351 6cbd39ae-6cbd39bc 341->351 342->326 347 6cbd3bde-6cbd3c06 342->347 352 6cbd3a00-6cbd3a1a IsBadReadPtr 343->352 348 6cbd3c7c-6cbd3c7f 344->348 349 6cbd3c90-6cbd3ca8 344->349 345->340 355 6cbd3e70-6cbd3e7b 346->355 347->330 372 6cbd3c08-6cbd3c35 memcpy 347->372 356 6cbd3edf-6cbd3ee4 348->356 357 6cbd3c85-6cbd3c88 348->357 358 6cbd3cae-6cbd3cc6 349->358 359 6cbd3f86-6cbd3f8a 349->359 350->330 373 6cbd398e-6cbd39a9 memset 350->373 351->336 360 6cbd39be-6cbd39c6 351->360 353 6cbd3c50 352->353 354 6cbd3a20-6cbd3a29 352->354 353->344 354->353 361 6cbd3a2f-6cbd3a44 354->361 362 6cbd3e7d-6cbd3e7f 355->362 363 6cbd3eb2-6cbd3ebc 355->363 356->316 356->349 357->349 365 6cbd3c8a-6cbd3c8f 357->365 367 6cbd3d21-6cbd3d2d 358->367 368 6cbd3cd0-6cbd3cdf call 6cbd31c0 358->368 374 6cbd3f93-6cbd3fa3 SetLastError 359->374 360->333 387 6cbd3f4f-6cbd3f5f SetLastError 361->387 388 6cbd3a4a-6cbd3a65 realloc 361->388 371 6cbd3e80-6cbd3e8d 362->371 363->355 375 6cbd3ebe-6cbd3ec2 363->375 365->349 369 6cbd3d2f-6cbd3d35 367->369 370 6cbd3d3a-6cbd3d3e 367->370 385 6cbd3ce5-6cbd3cf4 368->385 386 6cbd3f00-6cbd3f04 368->386 378 6cbd3d37 369->378 379 6cbd3d80-6cbd3d86 369->379 380 6cbd3d4a-6cbd3d5b 370->380 381 6cbd3d40-6cbd3d48 370->381 382 6cbd3e8f-6cbd3ea0 371->382 383 6cbd3ea3-6cbd3eb0 371->383 373->351 374->330 375->345 378->370 379->370 391 6cbd3d88-6cbd3d8b 379->391 389 6cbd3d5d-6cbd3d63 380->389 390 6cbd3d65 380->390 381->368 381->380 382->383 383->363 383->371 392 6cbd3cf8-6cbd3d10 385->392 386->330 387->330 393 6cbd3a6b-6cbd3a95 388->393 394 6cbd3f64-6cbd3f81 SetLastError 388->394 389->390 395 6cbd3d6a-6cbd3d76 389->395 390->395 391->370 396 6cbd3d90-6cbd3da9 call 6cbd31c0 392->396 397 6cbd3d12-6cbd3d1d 392->397 398 6cbd3ac8-6cbd3ad4 393->398 399 6cbd3a97 393->399 394->330 395->392 396->330 406 6cbd3daf-6cbd3db9 396->406 397->367 401 6cbd3ad6-6cbd3ae7 398->401 402 6cbd3aa0-6cbd3ab6 398->402 399->402 404 6cbd3c40-6cbd3c45 399->404 411 6cbd3ae9-6cbd3b06 SetLastError 401->411 412 6cbd3ab8-6cbd3ac2 401->412 402->411 402->412 404->352 409 6cbd3dbb-6cbd3dc4 406->409 410 6cbd3df3-6cbd3df8 406->410 409->410 413 6cbd3dc6-6cbd3dca 409->413 414 6cbd3dfe-6cbd3e09 410->414 415 6cbd3ed3-6cbd3eda 410->415 411->330 412->398 412->404 413->410 416 6cbd3dcc 413->416 418 6cbd3e0f-6cbd3e29 414->418 419 6cbd3f09-6cbd3f0c 414->419 415->311 420 6cbd3dd0-6cbd3def 416->420 418->374 423 6cbd3e2f-6cbd3e36 418->423 419->311 424 6cbd3df1 420->424 423->311 423->338 424->410
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: ErrorHeapLast$AllocInfoNativeProcessReadSystemmemcpymemsetrealloc
    • String ID: ?$@
    • API String ID: 2257136212-1463999369
    • Opcode ID: 3f0c2616c74e4c8296c93d0a7c66ad6d23858830ca9482d80c018c43efd7bfaf
    • Instruction ID: eef10972e9ecaf84e74bfbef47b27b9a6539a0adb62a6e45b87b66edba28acf5
    • Opcode Fuzzy Hash: 3f0c2616c74e4c8296c93d0a7c66ad6d23858830ca9482d80c018c43efd7bfaf
    • Instruction Fuzzy Hash: 644202B46097429FD750DF69C58471ABBF0FF88348F158A2DE89987B41E774E884CB82
    Function 6CB65820 Relevance: 19.8, Strings: 15, Instructions: 1007COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 841 6cb65820-6cb65835 842 6cb66aa6-6cb66aab call 6cbafd10 841->842 843 6cb6583b-6cb65861 call 6cb52d50 841->843 842->841 848 6cb65863-6cb65868 843->848 849 6cb6586a-6cb6586d 843->849 850 6cb65870-6cb658d7 call 6cb52d80 call 6cbb1e90 848->850 849->850 855 6cb658e3-6cb659f4 call 6cb89970 call 6cbafc20 * 2 call 6cb89970 call 6cba3cd0 850->855 856 6cb658d9-6cb658e1 call 6cbb1120 850->856 869 6cb65a26-6cb65a3c 855->869 870 6cb659f6-6cb65a21 call 6cba41b0 call 6cba3de0 855->870 856->855 872 6cb65a3e-6cb65a46 call 6cbb1120 869->872 873 6cb65a48-6cb65a57 869->873 870->869 872->873 876 6cb66a8f-6cb66aa5 call 6cb84fd0 873->876 877 6cb65a5d-6cb65d68 call 6cb52d80 call 6cbafc20 call 6cbb1e90 call 6cbb1ef0 call 6cb52da0 * 2 call 6cb7fb90 call 6cbac0a0 * 2 call 6cb52bc0 * 3 873->877 876->842 906 6cb65d70-6cb65e0e call 6cb5a640 call 6cb8eb50 call 6cb5a860 call 6cb71b90 call 6cb682f0 call 6cb7c860 call 6cb72680 877->906 907 6cb65d6a 877->907 922 6cb65e10-6cb65e12 906->922 923 6cb65e1c-6cb65e1e 906->923 907->906 924 6cb65e18-6cb65e1a 922->924 925 6cb66a79-6cb66a8a call 6cb84fd0 922->925 926 6cb65e24-6cb65f04 call 6cbb131a call 6cbafc20 call 6cb7ce20 call 6cb75040 call 6cbafc20 * 2 923->926 927 6cb66a63-6cb66a74 call 6cb84fd0 923->927 924->923 924->926 925->876 942 6cb65f06-6cb65f1e call 6cb72700 926->942 943 6cb65f23-6cb65f2b 926->943 927->925 942->943 945 6cb66904-6cb6694a call 6cb5a640 943->945 946 6cb65f31-6cb65f9f call 6cbb131a call 6cb86be0 call 6cbac2e0 943->946 951 6cb6694c-6cb66957 call 6cbb1120 945->951 952 6cb66959-6cb66975 call 6cb5a860 945->952 964 6cb65faf-6cb65fcd 946->964 951->952 961 6cb6699a-6cb669a3 952->961 962 6cb66977-6cb66999 call 6cb54430 961->962 963 6cb669a5-6cb669d0 call 6cb6e9f0 961->963 962->961 977 6cb669d2-6cb669db call 6cbafc20 963->977 978 6cb669e0-6cb66a37 call 6cb97e70 * 2 963->978 966 6cb65fcf-6cb65fd2 964->966 967 6cb65fd8-6cb6605b 964->967 966->967 970 6cb66085-6cb6608b 966->970 971 6cb66061-6cb6606b 967->971 972 6cb66a59-6cb66a5e call 6cbb11a0 967->972 979 6cb66091-6cb6622b call 6cb9da10 call 6cb86be0 call 6cb87450 call 6cb87140 call 6cb87450 * 3 call 6cb87270 call 6cb87450 call 6cb86c40 call 6cbb131a 970->979 980 6cb66a4f-6cb66a54 call 6cbb11a0 970->980 975 6cb6607e-6cb66080 971->975 976 6cb6606d-6cb66079 971->976 972->927 982 6cb65fa1-6cb65fad 975->982 976->982 977->978 993 6cb66a48-6cb66a4e 978->993 994 6cb66a39-6cb66a3f 978->994 1013 6cb662cd-6cb662d0 979->1013 980->972 982->964 994->993 996 6cb66a41 994->996 996->993 1014 6cb66356-6cb664d5 call 6cb86be0 call 6cb87450 call 6cb86c40 call 6cb52c00 * 4 call 6cbb1316 1013->1014 1015 6cb662d6-6cb662f3 1013->1015 1050 6cb6655c-6cb6655f 1014->1050 1017 6cb66230-6cb662c6 call 6cb67dd0 call 6cb9da10 call 6cb86be0 call 6cb87450 call 6cb86c40 1015->1017 1018 6cb662f9-6cb66351 call 6cb86be0 call 6cb87450 call 6cb86c40 1015->1018 1017->1013 1018->1017 1051 6cb66605-6cb6689f call 6cb52d80 * 2 call 6cb86be0 call 6cb87450 call 6cb87140 call 6cb87450 call 6cb87140 call 6cb87450 call 6cb87140 call 6cb87450 call 6cb87140 call 6cb87450 call 6cb87140 call 6cb87450 call 6cb87140 call 6cb87450 call 6cb87270 call 6cb87450 call 6cb86c40 1050->1051 1052 6cb66565-6cb66589 1050->1052 1118 6cb668c1-6cb668f2 call 6cb86be0 call 6cb86df0 call 6cb86c40 1051->1118 1119 6cb668a1-6cb668bc call 6cb86be0 call 6cb87450 call 6cb86c40 1051->1119 1053 6cb66590-6cb665be call 6cb86be0 call 6cb87450 call 6cb86c40 1052->1053 1054 6cb6658b-6cb6658e 1052->1054 1061 6cb664da-6cb6655b call 6cb67dd0 call 6cb9da10 call 6cb86be0 call 6cb87450 call 6cb86c40 1053->1061 1054->1053 1056 6cb665c3-6cb665c5 1054->1056 1056->1061 1062 6cb665cb-6cb66600 call 6cb86be0 call 6cb87450 call 6cb86c40 1056->1062 1061->1050 1062->1061 1118->945 1131 6cb668f4-6cb668ff call 6cb5a860 1118->1131 1119->1118 1131->945
    Strings
    • gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foun, xrefs: 6CB66A8F
    • 5, xrefs: 6CB66A6C
    • ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32, xrefs: 6CB6635B
    • MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException , xrefs: 6CB667E1
    • ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm, xrefs: 6CB66721
    • , xrefs: 6CB65ED9
    • failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 6CB66A79
    • MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 6CB6684B
    • /]+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT, xrefs: 6CB66595
    • non-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - d, xrefs: 6CB66A63
    • +:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+1, xrefs: 6CB66313, 6CB665D0
    • @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-0, xrefs: 6CB66136
    • ., xrefs: 6CB6606D
    • gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintmapbindfile, xrefs: 6CB66109
    • gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= , xrefs: 6CB658EA
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-0$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException $ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm$+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+1$.$/]+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT$5$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintmapbindfile$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foun$gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= $non-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - d
    • API String ID: 0-4142148823
    • Opcode ID: 9a75e0be4db4e5daa905b98ad99d0f4cca60f7e2fb56f734f1db850d3f60e8a1
    • Instruction ID: a3d6c94cd2e6bcecd20934b69749c38f181d1b86c6171618c2f6e3aa5c919767
    • Opcode Fuzzy Hash: 9a75e0be4db4e5daa905b98ad99d0f4cca60f7e2fb56f734f1db850d3f60e8a1
    • Instruction Fuzzy Hash: F0B2E574609781CFD724DF69C194BAEBBF4FB8A308F01892ED89987751E7709848CB52
    Function 6CB78E10 Relevance: 16.9, Strings: 13, Instructions: 645COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1483 6cb78e10-6cb78e22 1484 6cb799ca-6cb799cf call 6cbafd10 1483->1484 1485 6cb78e28-6cb78e86 1483->1485 1484->1483 1487 6cb78eac-6cb78eb3 1485->1487 1489 6cb78fb1-6cb78fb7 1487->1489 1490 6cb78eb9-6cb78f23 1487->1490 1491 6cb7922f-6cb79236 call 6cbb11b0 1489->1491 1492 6cb78fbd-6cb78fe9 call 6cb7c000 1489->1492 1493 6cb799c2-6cb799c9 call 6cbb11e0 1490->1493 1494 6cb78f29-6cb78f2b 1490->1494 1500 6cb7923b-6cb79242 1491->1500 1508 6cb79057-6cb79067 1492->1508 1509 6cb78feb-6cb79056 call 6cb78d80 1492->1509 1493->1484 1495 6cb78f31-6cb78f7b 1494->1495 1496 6cb799bb-6cb799bd call 6cbb1200 1494->1496 1501 6cb78f7d-6cb78f86 1495->1501 1502 6cb78f88-6cb78f8c 1495->1502 1496->1493 1506 6cb79246-6cb79248 1500->1506 1507 6cb78f8e-6cb78fac 1501->1507 1502->1507 1510 6cb79433 1506->1510 1511 6cb7924e 1506->1511 1507->1506 1512 6cb7906d-6cb7907e 1508->1512 1513 6cb7922a call 6cbb11a0 1508->1513 1517 6cb79437-6cb79440 1510->1517 1514 6cb799b4-6cb799b6 call 6cbb11a0 1511->1514 1515 6cb79254-6cb79282 1511->1515 1519 6cb79217-6cb7921f 1512->1519 1520 6cb79084-6cb79089 1512->1520 1513->1491 1514->1496 1524 6cb79284-6cb7928a 1515->1524 1525 6cb7928c-6cb792e5 1515->1525 1527 6cb79446-6cb7944c 1517->1527 1528 6cb797a8-6cb79816 call 6cb78d80 1517->1528 1519->1513 1521 6cb7908f-6cb7909c 1520->1521 1522 6cb791fc-6cb7920c 1520->1522 1529 6cb790a2-6cb791e9 call 6cb86be0 call 6cb87450 call 6cb87270 call 6cb87450 call 6cb87270 call 6cb87450 call 6cb87140 call 6cb87450 call 6cb87140 call 6cb87450 call 6cb87140 call 6cb87450 call 6cb86c40 call 6cb86be0 call 6cb87450 call 6cb87140 call 6cb86df0 call 6cb86c40 call 6cb84fd0 1521->1529 1530 6cb791ee-6cb791f7 1521->1530 1522->1519 1524->1500 1542 6cb792e7-6cb792f3 1525->1542 1543 6cb792f5-6cb792fe 1525->1543 1533 6cb79452-6cb7945c 1527->1533 1534 6cb79789-6cb797a7 1527->1534 1529->1530 1535 6cb79477-6cb7948b 1533->1535 1536 6cb7945e-6cb79475 1533->1536 1540 6cb79492 1535->1540 1536->1540 1544 6cb794a7-6cb794c7 1540->1544 1545 6cb79494-6cb794a5 1540->1545 1547 6cb79304-6cb79316 1542->1547 1543->1547 1548 6cb794ce 1544->1548 1545->1548 1550 6cb793fe-6cb79400 1547->1550 1551 6cb7931c-6cb79321 1547->1551 1552 6cb794d7-6cb794da 1548->1552 1553 6cb794d0-6cb794d5 1548->1553 1555 6cb79402-6cb79416 1550->1555 1556 6cb79418 1550->1556 1557 6cb79323-6cb79328 1551->1557 1558 6cb7932a-6cb7933e 1551->1558 1559 6cb794e0-6cb79921 call 6cb86be0 call 6cb87450 call 6cb87270 call 6cb87450 call 6cb87270 call 6cb87450 call 6cb87140 call 6cb87450 call 6cb87140 call 6cb87450 call 6cb87140 call 6cb86df0 call 6cb86c40 call 6cb86be0 call 6cb87450 call 6cb87270 call 6cb87450 call 6cb87140 call 6cb87450 call 6cb87270 call 6cb86df0 call 6cb86c40 call 6cb86be0 call 6cb87450 call 6cb872e0 call 6cb87450 call 6cb87270 call 6cb86df0 call 6cb86c40 call 6cb86be0 call 6cb87450 call 6cb87140 call 6cb87450 call 6cb87140 call 6cb86df0 call 6cb86c40 1552->1559 1553->1559 1561 6cb7941c-6cb79431 1555->1561 1556->1561 1562 6cb79345-6cb79347 1557->1562 1558->1562 1677 6cb79923-6cb79938 1559->1677 1678 6cb7999e-6cb799af call 6cb84fd0 1559->1678 1561->1517 1565 6cb7934d-6cb7934f 1562->1565 1566 6cb78e88-6cb78ea5 1562->1566 1567 6cb79351-6cb79356 1565->1567 1568 6cb79358-6cb79373 1565->1568 1566->1487 1571 6cb79381 1567->1571 1572 6cb79375-6cb7937a 1568->1572 1573 6cb793dd-6cb793f9 1568->1573 1576 6cb79394-6cb793a3 1571->1576 1577 6cb79383-6cb79392 1571->1577 1572->1571 1573->1500 1580 6cb793a6-6cb793d8 1576->1580 1577->1580 1580->1500 1680 6cb79941-6cb79953 1677->1680 1681 6cb7993a-6cb7993f 1677->1681 1678->1514 1682 6cb79955 1680->1682 1681->1682 1683 6cb79957-6cb7995c 1682->1683 1684 6cb7995e-6cb79976 1682->1684 1685 6cb79978-6cb79984 1683->1685 1684->1685 1686 6cb79986-6cb7998b 1685->1686 1687 6cb79990-6cb79993 1685->1687 1687->1678
    Strings
    • runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 6CB7971E
    • , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+1, xrefs: 6CB7912D, 6CB79157, 6CB7957A, 6CB795A4
    • runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard , xrefs: 6CB79691
    • ][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CET, xrefs: 6CB790DA, 6CB79523
    • , npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by ProcessPrngMoveFileExWNetShar, xrefs: 6CB7960D
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CB791D8, 6CB7999E
    • runtime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQueryServiceStatusGetCompu, xrefs: 6CB791A1
    • , levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:, xrefs: 6CB7974B
    • , j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64TuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptrno anodeCancelIoReadFileAcceptExWSAIoctlshutdownnil PoolscavengepollDes, xrefs: 6CB7963A
    • ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc, xrefs: 6CB79103
    • runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6CB790B0, 6CB794E9
    • , i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structCommonCopySidWSARecvWSASendconnectconsole\\.\UNCforcegcallocmWcpuprofalloc, xrefs: 6CB796BE
    • ] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep, xrefs: 6CB79550
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+1$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structCommonCopySidWSARecvWSASendconnectconsole\\.\UNCforcegcallocmWcpuprofalloc$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64TuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptrno anodeCancelIoReadFileAcceptExWSAIoctlshutdownnil PoolscavengepollDes$, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:$, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by ProcessPrngMoveFileExWNetShar$] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep$] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc$][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CET$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$runtime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQueryServiceStatusGetCompu$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-1009071329
    • Opcode ID: c783faf87ba9e24d10467ffc5f580d92212c94ed4d0ecc79787778ca3cbce9ac
    • Instruction ID: c6d848376a08005af8cb6629e90010dceadff9e8fb312b9ca5731da15a6f7ae4
    • Opcode Fuzzy Hash: c783faf87ba9e24d10467ffc5f580d92212c94ed4d0ecc79787778ca3cbce9ac
    • Instruction Fuzzy Hash: 41524575A097848FD320DF68C08079EBBF1FF89708F15892DE9A897741D774A848CB92
    Function 6CB73090 Relevance: 14.6, Strings: 11, Instructions: 823COMMON
    Download Yara Rule
    Strings
    • swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6CB73922
    • , xrefs: 6CB73ACF
    • mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CB7399F, 6CB73D49
    • sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executionattempte, xrefs: 6CB7390C
    • mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 6CB739D3
    • sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileEx, xrefs: 6CB73975, 6CB73D1F
    • previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 6CB73A68
    • mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdea, xrefs: 6CB73D7D
    • mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 6CB73D9C
    • nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dlld.nx != 0profBlockstac, xrefs: 6CB73A3E
    • sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevrunt, xrefs: 6CB73AC6
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dlld.nx != 0profBlockstac$ previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$ sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileEx$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevrunt$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executionattempte$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-23978083
    • Opcode ID: 8e304154b8c77bead5e2a6a2ff4bf757ca729a52b784968cd94da5df0eff47a5
    • Instruction ID: 9873ddeb688c09cdd7171e06aa0e5bc7b44a9fe702e2290c8296009d1ccb92a6
    • Opcode Fuzzy Hash: 8e304154b8c77bead5e2a6a2ff4bf757ca729a52b784968cd94da5df0eff47a5
    • Instruction Fuzzy Hash: 4C8214B46097948FC324DF25C08079EBBE1BF89708F44896DE8E88B791D774D949CB62
    Function 6CB513E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: e960fde1c657d6fa23975e79136f65d3ab8af78af62b951a3a19127bc1a8fd68
    • Instruction ID: 883913160261b14fbb1d143485ace1ae0e911ae7b47b9109c1beec2d28a48187
    • Opcode Fuzzy Hash: e960fde1c657d6fa23975e79136f65d3ab8af78af62b951a3a19127bc1a8fd68
    • Instruction Fuzzy Hash: 730152B290A2409BC7007FB9A55632EBFB8EB42255F06452DD88587610D730A4148FA3
    Function 6CB5BE4F Relevance: 12.0, Strings: 9, Instructions: 703COMMON
    Download Yara Rule
    Strings
    • 4, xrefs: 6CB5C777
    • unexpected malloc header in delayed zeroing of large objectmanual span allocation called with non-manually-managed typeaddr range base and limit are not in the same memory segmentruntime: netpoll: PostQueuedCompletionStatus failed (errno= runtime: GetQueuedCom, xrefs: 6CB5C714
    • mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential, xrefs: 6CB5C7B0
    • mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 6CB5C76E
    • delayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablecgo argument has Go pointer to unpinned Go pointerruntime: unabl, xrefs: 6CB5C72A
    • malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated spanp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not found, xrefs: 6CB5C784
    • 2, xrefs: 6CB5C7B9
    • !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 6CB5C219
    • malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no , xrefs: 6CB5C79A
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$2$4$delayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablecgo argument has Go pointer to unpinned Go pointerruntime: unabl$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no $malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated spanp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not found$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $unexpected malloc header in delayed zeroing of large objectmanual span allocation called with non-manually-managed typeaddr range base and limit are not in the same memory segmentruntime: netpoll: PostQueuedCompletionStatus failed (errno= runtime: GetQueuedCom
    • API String ID: 0-4221549744
    • Opcode ID: 7e3e2ca6589748171eea1260fb06afd4431955d7dc74c0500b6e9162c7538b68
    • Instruction ID: 2c4df6d0d7ed91cd166c320fd83d16c853bdaff3a234b7f33d2d66225183c2f0
    • Opcode Fuzzy Hash: 7e3e2ca6589748171eea1260fb06afd4431955d7dc74c0500b6e9162c7538b68
    • Instruction Fuzzy Hash: BF52BD746083848FC704DF69C09066ABBF2FF89708F94896DE8988B781D775D959CF82
    Function 6CBC2940 Relevance: 10.5, Strings: 7, Instructions: 1779COMMON
    Download Yara Rule
    Strings
    • %!Weekday(complex128MessageBoxWSleepyMousebroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamecrypt32.dllmswsock.d, xrefs: 6CBC3FAA, 6CBC4275
    • 0, xrefs: 6CBC3491
    • 0, xrefs: 6CBC3724
    • 0, xrefs: 6CBC3530
    • )./]+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I, xrefs: 6CBC3FC4, 6CBC428F, 6CBC43D3, 6CBC46B5
    • 0, xrefs: 6CBC3647
    • %!Month(avx512bwavx512vlFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dlld.nx != 0profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedcoroutinecopystackinterface ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B, xrefs: 6CBC43B9, 6CBC469B
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: %!Month(avx512bwavx512vlFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dlld.nx != 0profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedcoroutinecopystackinterface ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B$%!Weekday(complex128MessageBoxWSleepyMousebroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamecrypt32.dllmswsock.d$)./]+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I$0$0$0$0
    • API String ID: 0-634561255
    • Opcode ID: 369093948d6e154f4a00f273f0ec4108133ab79c976525cd6ecd3eb928b2a95b
    • Instruction ID: d6163d69a31dd347e2c70b15c6185d5de51dce462eba549d918dd421237d3657
    • Opcode Fuzzy Hash: 369093948d6e154f4a00f273f0ec4108133ab79c976525cd6ecd3eb928b2a95b
    • Instruction Fuzzy Hash: 4103E0B4A093818FC728CF18C09069EFBE1BFC9314F54892EE99997751D770A949CB93
    Function 6CBA7FB0 Relevance: 10.5, Strings: 8, Instructions: 515COMMON
    Download Yara Rule
    Strings
    • fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault an, xrefs: 6CBA8627
    • (=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12P, xrefs: 6CBA840E
    • sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit , xrefs: 6CBA8654
    • :(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12, xrefs: 6CBA84EB
    • , xrefs: 6CBA8127
    • , xrefs: 6CBA811F
    • non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard TimeCaucasus Standard , xrefs: 6CBA87B3
    • pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcin, xrefs: 6CBA8681
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $ fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault an$ pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcin$ sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit $(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12P$:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12$non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard TimeCaucasus Standard
    • API String ID: 0-1565611637
    • Opcode ID: fb0d49e5439828067a05af0b43980b1294a7bf2f80e5a6c683dd3d5763582b3f
    • Instruction ID: 1d04b3e0e5a260d0f220edfb67fbe02f8043b5e79e4d1f9589680bd48f8e5e17
    • Opcode Fuzzy Hash: fb0d49e5439828067a05af0b43980b1294a7bf2f80e5a6c683dd3d5763582b3f
    • Instruction Fuzzy Hash: F532B27460D3C18FC364DF65C18079EBBE1EF89308F04892EE8D997B51DB3598499B52
    Function 6CBD4310 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessagefprintf
    • String ID: Erro: %s
    • API String ID: 659079672-2412703935
    • Opcode ID: b642a3275c2242b2474d0ed829016a5c24caf3fcb0553e6b4e88d35b8ea6c9b6
    • Instruction ID: 5ec1850d2abfb6fab25919e8837390492bbdbfe11df10736d6481942c949ae58
    • Opcode Fuzzy Hash: b642a3275c2242b2474d0ed829016a5c24caf3fcb0553e6b4e88d35b8ea6c9b6
    • Instruction Fuzzy Hash: 2E019DB05093019FDB00AF68C18930EBFF0AB88349F01891DE8989B250E7799148CF97
    Function 6CB8CE40 Relevance: 8.6, Strings: 6, Instructions: 1065COMMON
    Download Yara Rule
    Strings
    • findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r, xrefs: 6CB8DED8
    • global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsruntime: typeBitsBulkBarrier without typeruntime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out, xrefs: 6CB8DE96
    • findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi, xrefs: 6CB8DEEE
    • !, xrefs: 6CB8DEE1
    • findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for traceReg, xrefs: 6CB8DEC2
    • findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a, xrefs: 6CB8DEAC
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for traceReg$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsruntime: typeBitsBulkBarrier without typeruntime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out
    • API String ID: 0-3247796029
    • Opcode ID: bbec293f918e3784e4f5ce093ea38962b1fa0506b62d1e03ac5f7a215302b6e4
    • Instruction ID: 4b32040935ba3d2f2fa76f94280c1ad9e3f6b4415a9d3dfb7b4acc5c5d122738
    • Opcode Fuzzy Hash: bbec293f918e3784e4f5ce093ea38962b1fa0506b62d1e03ac5f7a215302b6e4
    • Instruction Fuzzy Hash: 53A2CF7460A3819FD714DF69D190B6EBBF0AF8A748F50882EE8D887750E734D8488B53
    Function 6CBD4AE0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6CBD4B2F
    • UnhandledExceptionFilter.KERNEL32 ref: 6CBD4B3F
    • GetCurrentProcess.KERNEL32 ref: 6CBD4B48
    • TerminateProcess.KERNEL32 ref: 6CBD4B59
    • abort.MSVCRT ref: 6CBD4B62
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 5a608b218dc738a8fd6be387474c3d87ce17c963dcee0e969ca1a8684cb456e7
    • Instruction ID: 73c33eaee45634b2a456d180e5cf9316dbc177b987c69a82a2b48ecd0eb76ed9
    • Opcode Fuzzy Hash: 5a608b218dc738a8fd6be387474c3d87ce17c963dcee0e969ca1a8684cb456e7
    • Instruction Fuzzy Hash: 9E1102B5A057018FCB00EFA9C24465EBBF0FB4A304F458929E88887341E735A948CF8B
    Function 6CBD4A30 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6CBD4A69
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CB513B9), ref: 6CBD4A7A
    • GetCurrentThreadId.KERNEL32 ref: 6CBD4A82
    • GetTickCount.KERNEL32 ref: 6CBD4A8A
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CB513B9), ref: 6CBD4A99
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: ac2d5681589aa59c127d650a6161e2e111b2e172e577afef3a7dd48755059c3f
    • Instruction ID: 1af890f110570e82f7b3b42e81986af417eda2bef674f8c46d8a417755866fd3
    • Opcode Fuzzy Hash: ac2d5681589aa59c127d650a6161e2e111b2e172e577afef3a7dd48755059c3f
    • Instruction Fuzzy Hash: A9115EB66453018FCB00EFB9E98864BBBF4FB89355F01093AE544C7600EB35E4488B92
    Function 6CBD4ADC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6CBD4B2F
    • UnhandledExceptionFilter.KERNEL32 ref: 6CBD4B3F
    • GetCurrentProcess.KERNEL32 ref: 6CBD4B48
    • TerminateProcess.KERNEL32 ref: 6CBD4B59
    • abort.MSVCRT ref: 6CBD4B62
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: dc4427cd94f99f56a09c5198928f54230ce19edc6fd9cbee5e991f600ef23ffc
    • Instruction ID: b1b7b67fc92137f8159f35bc3b81f98833143f63758bb14c23e1c447bb7bf032
    • Opcode Fuzzy Hash: dc4427cd94f99f56a09c5198928f54230ce19edc6fd9cbee5e991f600ef23ffc
    • Instruction Fuzzy Hash: EF1105B5A02601CFCB00EFE9C648659BBF4FB06304F058529E84897341EB70A844CF8B
    Function 6CB710D0 Relevance: 5.5, Strings: 4, Instructions: 494COMMON
    Download Yara Rule
    Strings
    • min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce, xrefs: 6CB7169F
    • !, xrefs: 6CB716A8
    • runtime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckruntime.gopanicImper, xrefs: 6CB7161C, 6CB7166B
    • min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc called from dalTLDpSugct?GetTempPath2WModule32NextW, xrefs: 6CB71650
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce$min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc called from dalTLDpSugct?GetTempPath2WModule32NextW$runtime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckruntime.gopanicImper
    • API String ID: 0-1474820873
    • Opcode ID: 027bf8fe49c4cf296e9fba784e6137ddc0a36857626a422fdbc7561d48e05224
    • Instruction ID: ea20a594bb56bbcfeb88ec0152f2aac27e11bacc478d76e25fb5195ee97c43b0
    • Opcode Fuzzy Hash: 027bf8fe49c4cf296e9fba784e6137ddc0a36857626a422fdbc7561d48e05224
    • Instruction Fuzzy Hash: CBF104326093654FD714CE98C4D064EB7E2EBC4348F19863CDCA99B781EB71D909CBA2
    Function 6CBD3630 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: c9e411d8c9e836f223bb92a4fbe07a539fccf730ab1e8a3ad65133a686a32300
    • Instruction ID: 77be0bab70474fffcb25059798094eb3ef13f24c41af4776b9a0f1240433a364
    • Opcode Fuzzy Hash: c9e411d8c9e836f223bb92a4fbe07a539fccf730ab1e8a3ad65133a686a32300
    • Instruction Fuzzy Hash: C821E5B5A096418BDB04AF25C5C871ABBF0FF84714F16C96CE8888B70AD735E845CB92
    Function 6CB814C0 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$'$PowerRegisterSuspendResumeNotification$powrprof.dll
    • API String ID: 0-4026319467
    • Opcode ID: 9271cd7b4b23d24034322d8b26bfcb2cd0b6288f05443beb2b127ce061d91841
    • Instruction ID: 65d0aaed963897994ef277808f40a34ceba7fdce57b91b1a817dea3eb7967100
    • Opcode Fuzzy Hash: 9271cd7b4b23d24034322d8b26bfcb2cd0b6288f05443beb2b127ce061d91841
    • Instruction Fuzzy Hash: 8E21DFB4A0A3418FC704CF25D094A5ABBF0FB89708F04891EE49987740E775EA48CF93
    Function 6CB86040 Relevance: 4.1, Strings: 3, Instructions: 316COMMON
    Download Yara Rule
    Strings
    • ', xrefs: 6CB864E3
    • suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function 2006-01-02 15:04:05.999999999 -0700 MSTaddress family not supported by protocolinvalid span in heapArena, xrefs: 6CB864DA
    • invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "permission deniedwrong medium typeno, xrefs: 6CB864C4
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "permission deniedwrong medium typeno$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function 2006-01-02 15:04:05.999999999 -0700 MSTaddress family not supported by protocolinvalid span in heapArena
    • API String ID: 0-536681504
    • Opcode ID: ccccfe4b707d12a6a79aeefeba127b28c1412ca9231ccf4138df218d2eb97fed
    • Instruction ID: 54f84123dd04922018318384ee79f70cb1e32997e305de67bc600a81c00026a4
    • Opcode Fuzzy Hash: ccccfe4b707d12a6a79aeefeba127b28c1412ca9231ccf4138df218d2eb97fed
    • Instruction Fuzzy Hash: C3D10F7460E3908FC705DF29C090A5EBBE1AF8A748F4848ADE8D49BB52D735E944CB53
    Function 6CB761A0 Relevance: 3.0, Strings: 2, Instructions: 472COMMON
    Download Yara Rule
    Strings
    • +, xrefs: 6CB76849
    • grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 6CB76840
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: +$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
    • API String ID: 0-3347251187
    • Opcode ID: ad309a4b4a5ac8ad2db15896b53de33c5cc235976c9e3f871b46aa9edce8186e
    • Instruction ID: 4fea5e338a5bbf38812d964e0c69da4122518c9ef73c74f16d8e6bd8605db009
    • Opcode Fuzzy Hash: ad309a4b4a5ac8ad2db15896b53de33c5cc235976c9e3f871b46aa9edce8186e
    • Instruction Fuzzy Hash: D922FD746093818FC364DF69C090A5EBBF1BF89744F54892DE9E887B50EB34E848CB52
    Function 6CB7AD00 Relevance: 2.8, Strings: 2, Instructions: 280COMMON
    Download Yara Rule
    Strings
    • @, xrefs: 6CB7AF6E
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CB7B085
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
    • API String ID: 0-1191861649
    • Opcode ID: 09da23bac3db6f0aa155e4fc8422de987c0bba9675925a549bf7c8ab007ce63a
    • Instruction ID: 348a7a24d2cf72e41fcf74f6bd4bd3c672004c83c6145b79b666458ac4e1b36b
    • Opcode Fuzzy Hash: 09da23bac3db6f0aa155e4fc8422de987c0bba9675925a549bf7c8ab007ce63a
    • Instruction Fuzzy Hash: BCB17C756087458FC308CF64C49065EB7E1FFC8318F488A2DE9999B781DB74E95ACB82
    Function 6CBAF732 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $@
    • API String ID: 0-1077428164
    • Opcode ID: d2cebec5197ed42e7583f04e7ac0334ffd51ae2598362a16553dc2a168c1e4d3
    • Instruction ID: 24dfb502b5c65b25e9fe4fb2e33807fa1d59a5cebbe458ddf8e647f4300c3805
    • Opcode Fuzzy Hash: d2cebec5197ed42e7583f04e7ac0334ffd51ae2598362a16553dc2a168c1e4d3
    • Instruction Fuzzy Hash: 7F518A14C0CF9B65E6330AFDC4025667720AEB3244B01D76FFDD6754B1E7136940BA22
    Function 6CB6CB60 Relevance: 2.6, Strings: 2, Instructions: 88COMMON
    Download Yara Rule
    Strings
    • gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not , xrefs: 6CB6CC41
    • ,, xrefs: 6CB6CC4A
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not
    • API String ID: 0-2682900153
    • Opcode ID: 0af2018f690983626a8eb1ceb708f6aa9c04731eb06a3284eb0461116398bca9
    • Instruction ID: 61015355e4b4786a466c4bab45cf4b56f0d49ef1f687c5a613120aca0c1a370e
    • Opcode Fuzzy Hash: 0af2018f690983626a8eb1ceb708f6aa9c04731eb06a3284eb0461116398bca9
    • Instruction Fuzzy Hash: 9B318E75A057A68FD305DF18C490AA9B7F1BF86208F4885BDCC484F383DB31984ACB91
    Function 6CBC6240 Relevance: 1.9, Strings: 1, Instructions: 607COMMON
    Download Yara Rule
    Strings
    • ,M3.2.0,M11.1.0RegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateD, xrefs: 6CBC63DE
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,M3.2.0,M11.1.0RegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateD
    • API String ID: 0-4001910974
    • Opcode ID: d7eab2083ee11e4d8c2c13d4c304e20f20a5a1a74f80cf43ea9495116fdaa853
    • Instruction ID: 47656825765e5e7cdd7f344e022dfce024ba14a9237f1a7c09a8ac7697a0d4a4
    • Opcode Fuzzy Hash: d7eab2083ee11e4d8c2c13d4c304e20f20a5a1a74f80cf43ea9495116fdaa853
    • Instruction Fuzzy Hash: 265204B1A083858FD334CF19C55079EBBE1ABD8308F45892DD9D897381EBB599488B93
    Function 6CB7CA70 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
    Download Yara Rule
    Strings
    • runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pagespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: spl, xrefs: 6CB7CDFB
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pagespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: spl
    • API String ID: 0-3032229779
    • Opcode ID: 30bfc6171d6a3ec529c24de500a63ad7ebbe17abdd5915e475134392b09f902f
    • Instruction ID: ccc3830ce5e48f944a75ac80f7fd8e2014c1590b61404535467a78b3ef5c0846
    • Opcode Fuzzy Hash: 30bfc6171d6a3ec529c24de500a63ad7ebbe17abdd5915e475134392b09f902f
    • Instruction Fuzzy Hash: 88B10074A093898FC754EF68C18092EBBF0FB89704F51992DE8A597750E734E845CBA2
    Function 6CBC5100 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ;
    • API String ID: 0-1661535913
    • Opcode ID: 95c5680ee03dd409c2c724a3aef9e209513dde638b0b5ffeb3107dade1b963e5
    • Instruction ID: 50e316fce31be203dddb57af9510a84f4e8edf1e49ca94e5be2df84908b26673
    • Opcode Fuzzy Hash: 95c5680ee03dd409c2c724a3aef9e209513dde638b0b5ffeb3107dade1b963e5
    • Instruction Fuzzy Hash: CCA18171B083054FC30CDE5DD95131ABAE2EBC8304F09CA3DE599DB7A4E674D9098B86
    Function 6CB79DA0 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: 33439f0403e607c04115b0854664b3dedf69d37891e482d9f55df1a8a21a3b98
    • Instruction ID: 4763aa49ad739fb3d21192ab884550e70e97699a196afcfe493938b1e628c5d8
    • Opcode Fuzzy Hash: 33439f0403e607c04115b0854664b3dedf69d37891e482d9f55df1a8a21a3b98
    • Instruction Fuzzy Hash: A29144B5A093849FC354CF28C08065EBBE0FF89744F44992DE8A997741E734E988CF92
    Function 6CBC7490 Relevance: .6, Instructions: 601COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 123ba4295ee9a2a3d25bd68abd59e5f475f98f42fd5b1991f7fc48f5381f67bf
    • Instruction ID: 444c946f9bcdaf9ad1b2012df9439ee75f6c16faaedf52feb211991656537a64
    • Opcode Fuzzy Hash: 123ba4295ee9a2a3d25bd68abd59e5f475f98f42fd5b1991f7fc48f5381f67bf
    • Instruction Fuzzy Hash: AF225D71B0C7898FD724CE69C49035FB7E2FB85304F55892DD989AB740EBB199098B83
    Function 6CBC5590 Relevance: .5, Instructions: 530COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9b89a79ef6d999a4f7e0e003bdfca3c9cfbbc1f78d6e9b6f55786cad58d3af0f
    • Instruction ID: 348bfe8ce1bc196934fcc0edf8388799f5824a1933adad4d975b0c1ad8c8578f
    • Opcode Fuzzy Hash: 9b89a79ef6d999a4f7e0e003bdfca3c9cfbbc1f78d6e9b6f55786cad58d3af0f
    • Instruction Fuzzy Hash: EC129772B087498FC324DE5DC98024AF7E6BBC4304F59CA3DD9588B755EB70E9098B86
    Function 6CB7BAB0 Relevance: .5, Instructions: 477COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 057fa5ec794a1688a5eca6b784f9fb175a7a503fa3a10b7724e312a7dc3845d4
    • Instruction ID: 2909c0083e196a6de182cbb0ff5c91d32cbd75f220795935e44362a03ef60660
    • Opcode Fuzzy Hash: 057fa5ec794a1688a5eca6b784f9fb175a7a503fa3a10b7724e312a7dc3845d4
    • Instruction Fuzzy Hash: 68E11633B497594BD3289DA988C025EB2D2EBC8344F19873CDD649B780FA75D90A8BD1
    Function 6CB7B540 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bd6855d6fa70fec329aa654f7f6a2d7ad54561fecd7f35a6382057424c4b052d
    • Instruction ID: e905d2ada8ab27884ebec9edeb8bf380c4ceb636a346ed4b62373786f9c2ac33
    • Opcode Fuzzy Hash: bd6855d6fa70fec329aa654f7f6a2d7ad54561fecd7f35a6382057424c4b052d
    • Instruction Fuzzy Hash: 7FE1D433E2472547D3149E58CC80249B2D3ABC8670F4EC72DEDA5AB781E9B4ED5987C2
    Function 6CBC6FB0 Relevance: .4, Instructions: 408COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a58bc239ea178cb61a7a17fe04a978f2a6270af96979a40e50c47111e6c2adc3
    • Instruction ID: e81198aa3ed47be09614d4c8d0442ca8f103b2572968b445e0d14496f4f3dedf
    • Opcode Fuzzy Hash: a58bc239ea178cb61a7a17fe04a978f2a6270af96979a40e50c47111e6c2adc3
    • Instruction Fuzzy Hash: 5EE1B172B4C3958BC315CF29845021FFBE2ABC5704F49896DECA1AB741EBB59905CB83
    Function 6CB67DD0 Relevance: .4, Instructions: 378COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 765207c8195dc9bb1fde7cc851f36cd8a530fddb12636dcae87beafb46edd7ab
    • Instruction ID: c7a89f9fdbf9b13565b8a00ef365671ad4f6775b3aca77f03dc8fd93eaea6b27
    • Opcode Fuzzy Hash: 765207c8195dc9bb1fde7cc851f36cd8a530fddb12636dcae87beafb46edd7ab
    • Instruction Fuzzy Hash: E2C11532B483554FC709DE6DC89060EBBD6ABC8344F498A3DE8589B7A1E7B5DC0587C2
    Function 6CB8E040 Relevance: .3, Instructions: 329COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 759846804db0db5303211b9bb613f5d1ac2a9ca5ca50aaf236c8c796663d3e08
    • Instruction ID: 6e610f10e574335f535ff3fb6f3f4e51a19f109e40f2add8ef72bc45f1545bef
    • Opcode Fuzzy Hash: 759846804db0db5303211b9bb613f5d1ac2a9ca5ca50aaf236c8c796663d3e08
    • Instruction Fuzzy Hash: 2EF1A07864D3918FC364CF2AC190B9FBBE2BBC9204F54892DE9D887751DB31A805CB52
    Function 6CBD1A00 Relevance: .3, Instructions: 286COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f4eff944876a83ca345be9fbfa9670ce8c02512c3efdb46272a754cbc72ef50f
    • Instruction ID: d1fb1650b3b89cbf1c03b8ce1e524c2d32fbc4d79c1c30ed0c3406dece4c6588
    • Opcode Fuzzy Hash: f4eff944876a83ca345be9fbfa9670ce8c02512c3efdb46272a754cbc72ef50f
    • Instruction Fuzzy Hash: A9C1627060432A4FC251CE5EDCC0A6A73D1AB4821DF91867D96448F7C3DA3AF46B97A4
    Function 6CBD1640 Relevance: .3, Instructions: 286COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 49e287a2c306e46f35f3ae545d2e4a14cdf9a63a8e8d086dd4bee308fd538143
    • Instruction ID: 262200b3b65740148a9c4d335b22b2c55bb8239847519bea15e2140627c94f0b
    • Opcode Fuzzy Hash: 49e287a2c306e46f35f3ae545d2e4a14cdf9a63a8e8d086dd4bee308fd538143
    • Instruction Fuzzy Hash: 64C1627060432A4FC251CE5EDCC096A73D1AB4821DF91866D9644CF7C3DA3AF46B97A4
    Function 6CB7C100 Relevance: .3, Instructions: 285COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 25db34dfcde003834b1e732a4ca37a6bbc62f23d7bce64fb67d0cd357f65219e
    • Instruction ID: 8c99eb5a7a5aaa58030e3d737f882faee345746509345b44d4726feb4d48893e
    • Opcode Fuzzy Hash: 25db34dfcde003834b1e732a4ca37a6bbc62f23d7bce64fb67d0cd357f65219e
    • Instruction Fuzzy Hash: 009144326497554BC329EE99C4D051EB3E2FBC8348F19873CDD790B780EB7199098792
    Function 6CB7C460 Relevance: .3, Instructions: 281COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: be9804d62baf3f4d670ece839f1c32999818d89dde83d902d339703b8119349a
    • Instruction ID: de452c59c4a7220946ab3574c5f2fec03039a10593427f15c9bada05336a57ca
    • Opcode Fuzzy Hash: be9804d62baf3f4d670ece839f1c32999818d89dde83d902d339703b8119349a
    • Instruction Fuzzy Hash: 76811236A497690FD726ADA888C025E3292EBC8358F19473CDD749B7C1EF75980983D2
    Function 6CB7A790 Relevance: .3, Instructions: 276COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 507776df688d80ca00761b664db624620e2f1fa883209130e5eb99717aa63afe
    • Instruction ID: 44d1d84bd9f1a3f96e8f4a12f1eeec6a7c593d8d7c969d44d84f82740570d4c9
    • Opcode Fuzzy Hash: 507776df688d80ca00761b664db624620e2f1fa883209130e5eb99717aa63afe
    • Instruction Fuzzy Hash: 4E91C976A187184BD314DE59CCC0259B3E2BBC8724F49C63CECA897745E674EE49CB82
    Function 6CB53620 Relevance: .2, Instructions: 219COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ae41fd220aa665b39002906800e30a6d6a40414a9ec4ca89b57e888842023be2
    • Instruction ID: 427b1acf294a4ec4db83493fcb71dd0b8c401926e09b2119b76ace5cd5989fc1
    • Opcode Fuzzy Hash: ae41fd220aa665b39002906800e30a6d6a40414a9ec4ca89b57e888842023be2
    • Instruction Fuzzy Hash: 688107B2A083508FC314DF29D88095AF7E2BFC8748F46892DF988D7711E771E9158B86
    Function 6CB78A50 Relevance: .2, Instructions: 193COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 40cc08fd293c35126308d6ab12ae22bf5475307bf5a074922c529c4a7d57443c
    • Instruction ID: 09161eecd07a9516a2e06ddf0f32278d0120bbe0fccda777bd544f22383cfe06
    • Opcode Fuzzy Hash: 40cc08fd293c35126308d6ab12ae22bf5475307bf5a074922c529c4a7d57443c
    • Instruction Fuzzy Hash: 9591CCB49093859FC358CF28C190A5ABBE0FF89748F009A5EE8A997751D730E949CF52
    Function 6CB53000 Relevance: .2, Instructions: 173COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aa2fb2f0a52c4998fd30e0bfe34e55780734f9b95aa5ed0ac4b67d76a0e01cbf
    • Instruction ID: ad798e8485e179199eb4b6c475523f0613e8207bc21d110d847f970df8036164
    • Opcode Fuzzy Hash: aa2fb2f0a52c4998fd30e0bfe34e55780734f9b95aa5ed0ac4b67d76a0e01cbf
    • Instruction Fuzzy Hash: 4761A77090C3A44AE30D9F6E84A503EFFE19BC9701F444E6EF5E613382D9B49505DBAA
    Function 6CB7D525 Relevance: .1, Instructions: 134COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0054718ba037df9ee6c6072affea027cb72b69356c1e3cf1e701a727ff6479aa
    • Instruction ID: ecf9f792485a7e7bc949429214cd388ad202748ce24c40d57ab800e0c5de9f03
    • Opcode Fuzzy Hash: 0054718ba037df9ee6c6072affea027cb72b69356c1e3cf1e701a727ff6479aa
    • Instruction Fuzzy Hash: C65157B560A3129FC318DF65C590A1AB7E0FF88644F04867CE9999B392DB31E845CBD2
    Function 6CB5CA60 Relevance: .1, Instructions: 116COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8c7846e6b17725a05a76a8e7f1a9736c7a154c03cf03470cce693508fe65a657
    • Instruction ID: 751db1797d7b2824020bc200539a3289ea0b8b056525d3b2b6b657f2ece7b8bf
    • Opcode Fuzzy Hash: 8c7846e6b17725a05a76a8e7f1a9736c7a154c03cf03470cce693508fe65a657
    • Instruction Fuzzy Hash: 7B41C774A08B454FC306DE79C45021AB3F6FFCA384F54872DE98A6B752DB319842C741
    Function 6CB60830 Relevance: .1, Instructions: 97COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5fce20380280f122441e6783f9a89e9a9967eb4a926ced55c08339715aaf25c3
    • Instruction ID: c3eb2c6a10f9432fa5a724a06b7dad955faf9edd61f01f2efc0d99cfb7e9d21e
    • Opcode Fuzzy Hash: 5fce20380280f122441e6783f9a89e9a9967eb4a926ced55c08339715aaf25c3
    • Instruction Fuzzy Hash: 0031667381975D8BD300AF49DC40149F7E2ABC0B20F5E8A5DD9A417701DBB0AA15CBC7
    Function 6CB592E0 Relevance: .1, Instructions: 76COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a63510f819fa61d7f09327cfc09c3209c9736e23e2507cd5f4cbdbfc7803edd7
    • Instruction ID: 9d36fd8253e206fe3b5deb80d820d8136c24f4f68c02cc862f730d36ebb68a74
    • Opcode Fuzzy Hash: a63510f819fa61d7f09327cfc09c3209c9736e23e2507cd5f4cbdbfc7803edd7
    • Instruction Fuzzy Hash: 1021D471B08245CBDB0CCF79D8D012BB7F2EBCA710799856CD845C7A94DA34A816C756
    Function 6CB96730 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f2671fe87357792ca15c83be8b22feb0e31429aa1b8c20866cbdccbcabad650e
    • Instruction ID: 0daaea762e407cbb3fea3bf81cbd2762162afeb9d946b0eb85a530838cc5a588
    • Opcode Fuzzy Hash: f2671fe87357792ca15c83be8b22feb0e31429aa1b8c20866cbdccbcabad650e
    • Instruction Fuzzy Hash: A8111BB4740B128FC348DF99C0D4966B3E1FBCD210B4682BDDA4A8B767C670A811DB85
    Function 6CBB0F80 Relevance: .0, Instructions: 10COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7fcbbf6f9babb346dbd9306dfd010f069a791053bea0752376cbdcb5e1fbfd1a
    • Instruction ID: e4c1ef8139712425829bdf520ee3cc2a2eb97ab45e42b99f0fb27ff6cb22a755
    • Opcode Fuzzy Hash: 7fcbbf6f9babb346dbd9306dfd010f069a791053bea0752376cbdcb5e1fbfd1a
    • Instruction Fuzzy Hash: 6AC08CF0A0E3D19DEB40CB28A30436ABEE08B81740F80C0D8A14843540C334C1808315
    Function 6CBD4659 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • unexpected cgo_bindm on Windows, xrefs: 6CBD4684
    • runtime: failed to signal runtime initialization complete., xrefs: 6CBD470C
    • ;, xrefs: 6CBD46F8
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabortfwrite$Event
    • String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
    • API String ID: 3057923235-924395932
    • Opcode ID: bb41c3b183b1a8c0d37d19e4f255a23be36acd9df65383e868d40309e7e759b1
    • Instruction ID: 5a4497072976043ddfe74e21da835a3b47b8cd15e6b726ef7a737bc7a7b8ed80
    • Opcode Fuzzy Hash: bb41c3b183b1a8c0d37d19e4f255a23be36acd9df65383e868d40309e7e759b1
    • Instruction Fuzzy Hash: 2811B2F25046418FDB00BFA8C10A25EBBF4BB42304F85491CD889AB611EB75A488CB97
    Function 6CBD4C80 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • VirtualProtect failed with code 0x%x, xrefs: 6CBD4D7A
    • Address %p has no image-section, xrefs: 6CBD4DBB
    • @, xrefs: 6CBD4D58
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6CBD4DA7
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: a5076867fdcec307e74fbef339ddaf93ff981594d4d4c14ed1fc15a2b00d70df
    • Instruction ID: 81185ab31d3e7df4edc1c5f6abf804fc0dbc2ce29a56b2321e8db9c3dc22b7bb
    • Opcode Fuzzy Hash: a5076867fdcec307e74fbef339ddaf93ff981594d4d4c14ed1fc15a2b00d70df
    • Instruction Fuzzy Hash: E941AFB2A043519FCB00DFA9D58465AFBF0FB85314F568A19D85887704E730F808CF96
    Function 6CBD32D0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: ea3f5e2aafdb784b1a828da319b2d8dc01d25f93b618097557313b17c7ddc2b1
    • Instruction ID: a77e00fce20c66935d6eed9bd21733335677ac82b952e84aa84a004304cc0942
    • Opcode Fuzzy Hash: ea3f5e2aafdb784b1a828da319b2d8dc01d25f93b618097557313b17c7ddc2b1
    • Instruction Fuzzy Hash: 0251AEB56083558FC700DF29D48025EB7F5FBC8319F16892EE898D7601E778E949CB92
    Function 6CBD4840 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 6CBD484F
    • fwrite.MSVCRT ref: 6CBD489D
    • abort.MSVCRT ref: 6CBD48A2
    • free.MSVCRT ref: 6CBD48C5
      • Part of subcall function 6CBD4790: _beginthread.MSVCRT ref: 6CBD47B6
      • Part of subcall function 6CBD4790: _errno.MSVCRT ref: 6CBD47C1
      • Part of subcall function 6CBD4790: _errno.MSVCRT ref: 6CBD47C8
      • Part of subcall function 6CBD4790: fprintf.MSVCRT ref: 6CBD47E8
      • Part of subcall function 6CBD4790: abort.MSVCRT ref: 6CBD47ED
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
    • String ID: +$runtime/cgo: out of memory in thread_start
    • API String ID: 2633710936-1802439445
    • Opcode ID: 13a34b4fd9264b47a62dc00462eb602cc09ff83f651416f0325a36c9b5f3165c
    • Instruction ID: 21364b72ce8a9986b12e371481ee05e4a37124cd62d9c938038cb4e23d3baadf
    • Opcode Fuzzy Hash: 13a34b4fd9264b47a62dc00462eb602cc09ff83f651416f0325a36c9b5f3165c
    • Instruction Fuzzy Hash: A621F4B49047808FD700EF29D58491ABBF4FF89304F46899DE9888B725D339E884CF96
    Function 6CBD4490 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6CBD44B2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CBD4569), ref: 6CBD44CB
    • fwrite.MSVCRT ref: 6CBD4500
    • abort.MSVCRT ref: 6CBD4505
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6CBD44F9
    • =, xrefs: 6CBD44E5
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: 502468605c77269348a126862c534d4521e7352b737a76822763efb755f0f2c1
    • Instruction ID: 0466b576515c6d80ac5209f75c3c5ddb909acfc9aa7453ee720230af08cffff2
    • Opcode Fuzzy Hash: 502468605c77269348a126862c534d4521e7352b737a76822763efb755f0f2c1
    • Instruction Fuzzy Hash: D6F0C9B05057019FEB00BF68C50935EBAF4FB41349F86885DD49897651EB7A90888F57
    Function 6CB51020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CB512E0,?,?,?,?,?,?,6CB513A3), ref: 6CB51057
    • _amsg_exit.MSVCRT ref: 6CB51085
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: 749a207f39a376d1f8cc30e6a6a7a021f2b83d0b6241055e3303dfbf986e4bbc
    • Instruction ID: 7a16290a24aad7d44d04363024c9757038aa8e11eb039308010ae25e1f0b37dc
    • Opcode Fuzzy Hash: 749a207f39a376d1f8cc30e6a6a7a021f2b83d0b6241055e3303dfbf986e4bbc
    • Instruction Fuzzy Hash: 2741D6B17092808FEB00AF9AC58575AB7B4EB45344F9D862DD448CBB01DB35D899CB87
    Function 6CBD4D3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32 ref: 6CBD4D0D
    • VirtualProtect.KERNEL32 ref: 6CBD4D67
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CC6CA48), ref: 6CBD4D74
      • Part of subcall function 6CBD5A10: fwrite.MSVCRT ref: 6CBD5A3F
      • Part of subcall function 6CBD5A10: vfprintf.MSVCRT ref: 6CBD5A5F
      • Part of subcall function 6CBD5A10: abort.MSVCRT ref: 6CBD5A64
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$@
    • API String ID: 1616349570-2953866262
    • Opcode ID: e504f33006eca57b972e9dea7b36e0dae6c4436b68a43131f4b651b45cf6adfa
    • Instruction ID: 9b98a415542a9086addb3662f5d2b8ceab8540301426a40c53715633bf165207
    • Opcode Fuzzy Hash: e504f33006eca57b972e9dea7b36e0dae6c4436b68a43131f4b651b45cf6adfa
    • Instruction Fuzzy Hash: A82188B69047518FDB00DFA8C58465AFBF0FF88318F568A29D89887754E730E808CF56
    Function 6CBD34E0 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6CBD353F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CBD43CF), ref: 6CBD357A
    • malloc.MSVCRT ref: 6CBD35A8
    • qsort.MSVCRT ref: 6CBD35F6
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: 362f3c6924a20f634051ad993553c630a9118935ce6fd12fa3f33b237524ad64
    • Instruction ID: 756d7c03526e6f41b1ba76e0e7563805bbff05e4571f78892fb6cbfe163dda50
    • Opcode Fuzzy Hash: 362f3c6924a20f634051ad993553c630a9118935ce6fd12fa3f33b237524ad64
    • Instruction Fuzzy Hash: C94172B5A183418FD710DF69C48062AB7F1FF84318F16892DE88987721E774F848CB92
    Function 6CBD4030 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: 7531bd17bbbdd5a7eaecb54bf25e0bbf3cb94eeb04088b47d12abaa80dca361e
    • Instruction ID: 1f91e97dc866cee1b34d8cb12ef773c54d36f96567f07f90bab8f5c83e8584e0
    • Opcode Fuzzy Hash: 7531bd17bbbdd5a7eaecb54bf25e0bbf3cb94eeb04088b47d12abaa80dca361e
    • Instruction Fuzzy Hash: CE21A570604240CBD7009B39C884657BBF5EF85318F168A29E9A9CB390DB35F849CF93
    Function 6CBD58B0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
    • Instruction ID: 8dca615e0948207ad20ec158650be58ffa4a0b51cadedb864bd1cef72a2dce39
    • Opcode Fuzzy Hash: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
    • Instruction Fuzzy Hash: 6F114CF06052918FD7009F2CC88075A7BE4FF45365F568669D898CF785DB38E488CB66
    Function 6CBD45C0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6CBD45F0
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CBD2DB9), ref: 6CBD45FC
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CBD2DB9), ref: 6CBD460E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CBD2DB9), ref: 6CBD461E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CBD2DB9), ref: 6CBD4630
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 764e931556a36b53b692a8dd900a6a3a561d76d2b438ccec1c8eba090233feb1
    • Instruction ID: 9d471685e9fc8acc2ab199f99e9cc19ae4834f3108d456c2d6ebbd69c70601fc
    • Opcode Fuzzy Hash: 764e931556a36b53b692a8dd900a6a3a561d76d2b438ccec1c8eba090233feb1
    • Instruction Fuzzy Hash: A50171B16043458BDB00BFF9D58651ABBF8EF82354F45052DD898AB650EA30E859CF93
    Function 6CBD5A10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6CBD5A38
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: 1e89018ae6a2fc3e186433a932a1e80ca2c7abcdb3fa759e69b57327cc93efdc
    • Instruction ID: 7cad4ee2e521eec094a7f70ad68c37c0172d06ff8557730fe80603023fbc9df3
    • Opcode Fuzzy Hash: 1e89018ae6a2fc3e186433a932a1e80ca2c7abcdb3fa759e69b57327cc93efdc
    • Instruction Fuzzy Hash: 01E0AEF040A3809AD300AF68C58529EBAE8EF88348F92891DD4C847B51D779A4888F57
    Function 6CBD4DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CB512A5), ref: 6CBD4EE9
    Strings
    • Unknown pseudo relocation protocol version %d., xrefs: 6CBD5044
    • Unknown pseudo relocation bit size %d., xrefs: 6CBD4F79
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: 971487b59a10455fbf827dea0fab8018553156ff2c877dc726c7fc60b41fb059
    • Instruction ID: e3c176ad6de2767162c88da39b42796458da4810d44fad0a097a00f81eb27045
    • Opcode Fuzzy Hash: 971487b59a10455fbf827dea0fab8018553156ff2c877dc726c7fc60b41fb059
    • Instruction Fuzzy Hash: 3461EF71A002868BCF04DF6DD5C0A99B7B5FF85348F5AC229D8199BB05E335B849CF92
    Function 6CBD43A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: bsearchfprintffwrite
    • String ID: $
    • API String ID: 1110293247-3993045852
    • Opcode ID: 4a2aefa4a0f27c65abec6b98955fb62b362aec78f020a5ad2bb34c24ccabc8e8
    • Instruction ID: 0d3231156602bc2a574b187600b19ee5930c6c1a83d63e73b4148e6c2cb27dd4
    • Opcode Fuzzy Hash: 4a2aefa4a0f27c65abec6b98955fb62b362aec78f020a5ad2bb34c24ccabc8e8
    • Instruction Fuzzy Hash: AD01D7B55093509FDB00AF28958525EFBF4EB49368F06892EE8C987701E779A484CF63
    Function 6CBD5050 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2142225043.000000006CB51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB50000, based on PE: true
    • Associated: 00000003.00000002.2142207733.000000006CB50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142267661.000000006CBD6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142287636.000000006CBD7000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142305746.000000006CBD9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CBDD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142322281.000000006CC45000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142384869.000000006CC6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC75000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142398590.000000006CC79000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142428672.000000006CCAD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142442701.000000006CCB4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142456287.000000006CCB5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2142472505.000000006CCB8000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cb50000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 1eae178bee87ae423e9955f2410080fd713f9c39addf58823baa377ec02cc590
    • Instruction ID: b7243e07aa21a6419559195beebbbd837f98f90b605bccb1b945a33f19417edc
    • Opcode Fuzzy Hash: 1eae178bee87ae423e9955f2410080fd713f9c39addf58823baa377ec02cc590
    • Instruction Fuzzy Hash: ACF0AFF2A057008BDB00BFBDD58591A7BB8FA45344B0A0528DD459B209EA31B809CBEB

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:11
    Total number of Limit Nodes:1
    execution_graph 46442 6ce41d40 46443 6ce41d68 WriteFile 46442->46443 46444 6ce41d59 46442->46444 46444->46443 46445 6ce64790 46446 6ce647a7 _beginthread 46445->46446 46447 6ce647f2 46446->46447 46448 6ce647c1 _errno 46446->46448 46449 6ce64800 Sleep 46448->46449 46450 6ce647c8 _errno 46448->46450 46449->46446 46451 6ce64814 46449->46451 46452 6ce647d9 fprintf abort 46450->46452 46451->46450 46452->46447

    Executed Functions

    Function 6CE64790 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6CE647D9
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabortfprintf
    • String ID: runtime: failed to create new OS thread (%d)
    • API String ID: 1261927973-3231778263
    • Opcode ID: fc2638e0f62b556afd50e30e7f5ac1e932c99d8cf84d60290ead784bf8f0a2b0
    • Instruction ID: 9b3d7483f23e86448eedc0edda04ae3d6cd2a1b5714315530ad44a92c68ac681
    • Opcode Fuzzy Hash: fc2638e0f62b556afd50e30e7f5ac1e932c99d8cf84d60290ead784bf8f0a2b0
    • Instruction Fuzzy Hash: CA01A2715693008FC700BF66D88812EBBF4EF86718F61851EE48443B12C7359444DA63
    Function 6CE41D40 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 6ce41d40-6ce41d57 9 6ce41d68-6ce41d80 WriteFile 8->9 10 6ce41d59-6ce41d66 8->10 10->9
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: 7c573dc0a35f96675ed0c45ebe1b117901b7476eba003b8fe9c9de22eccbaae1
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: C8E0C2715056008FCB15DF18C2C1306BBE1EB88A00F0485A8DE098BB4AD734ED10CA92

    Non-executed Functions

    Function 6CE64AE0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6CE64B2F
    • UnhandledExceptionFilter.KERNEL32 ref: 6CE64B3F
    • GetCurrentProcess.KERNEL32 ref: 6CE64B48
    • TerminateProcess.KERNEL32 ref: 6CE64B59
    • abort.MSVCRT ref: 6CE64B62
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 9d5761706b90f07f8bbab13af72be64472ccf0a66339b146ea7250b6cfacb0e4
    • Instruction ID: cb43a9ee231f8aa4b2da0dbdad82bf11b8ca0652d7fdbf600508986b15447176
    • Opcode Fuzzy Hash: 9d5761706b90f07f8bbab13af72be64472ccf0a66339b146ea7250b6cfacb0e4
    • Instruction Fuzzy Hash: 7711E6B5E153008FCB80FF69C54575EBBF0BB66308F50852AE88887752E7359A48CF52
    Function 6CE64ADC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6CE64B2F
    • UnhandledExceptionFilter.KERNEL32 ref: 6CE64B3F
    • GetCurrentProcess.KERNEL32 ref: 6CE64B48
    • TerminateProcess.KERNEL32 ref: 6CE64B59
    • abort.MSVCRT ref: 6CE64B62
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 5ce77725e9cadd5838093d7f654e666abc18e091a941b6493ecb5e208f5d3bff
    • Instruction ID: 403ac9662da677272410b5b9a1522ec4a513ef0cda7a46e7b5f8e07267de3a28
    • Opcode Fuzzy Hash: 5ce77725e9cadd5838093d7f654e666abc18e091a941b6493ecb5e208f5d3bff
    • Instruction Fuzzy Hash: 641109B1E152008FCB80FF79C545759BBF0BB16308F10852AE94497742E7349948CF42
    Function 6CE64659 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to signal runtime initialization complete., xrefs: 6CE6470C
    • unexpected cgo_bindm on Windows, xrefs: 6CE64684
    • ;, xrefs: 6CE646F8
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabortfwrite$Event
    • String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
    • API String ID: 3057923235-924395932
    • Opcode ID: 96a5a7adc87ce55e4e7bd1a1e7d47336c2eca817f6b770989be409dc12e9596d
    • Instruction ID: aa01fbc73e733f13e313ce1ad8005e58ae116ccf1621f0c8119c69269a996d22
    • Opcode Fuzzy Hash: 96a5a7adc87ce55e4e7bd1a1e7d47336c2eca817f6b770989be409dc12e9596d
    • Instruction Fuzzy Hash: 2E11C5B2A14601CFDB40BFB9C10A35EBEF0BB92308F62892DD88547B12D7759559CB53
    Function 6CE64C80 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • VirtualProtect failed with code 0x%x, xrefs: 6CE64D7A
    • Address %p has no image-section, xrefs: 6CE64DBB
    • @, xrefs: 6CE64D58
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6CE64DA7
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 7397ecac4da53ff5fdd8ef4c8f446e264675a0f43fd4f0ce56cf3d4622a8a026
    • Instruction ID: 161aa306576682547efdfa15c04b05976403047213a692fdd0ad992a7c0a3c15
    • Opcode Fuzzy Hash: 7397ecac4da53ff5fdd8ef4c8f446e264675a0f43fd4f0ce56cf3d4622a8a026
    • Instruction Fuzzy Hash: 02418EB6A653019FD700EF6AD48465AFBF0FB95358F65CA1ED85887B05E330E408CB92
    Function 6CDE13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 51e5b6466ea9656a1c59914f0f8e735b0568513ba2c4827df104d92cc29f6261
    • Instruction ID: a8c9703a670a5a7cff2a40b6e666145bc33bc6f7f11f8c68f8e4a87f55059998
    • Opcode Fuzzy Hash: 51e5b6466ea9656a1c59914f0f8e735b0568513ba2c4827df104d92cc29f6261
    • Instruction Fuzzy Hash: 3C0171B6A293049BCB407F7A950731EBFF4AB46244F11852DD8C987B12D7309504CBA3
    Function 6CE632D0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: 9e09a0705a4dd3967e8f6115a6f381c645d67368cdad395b619add6e89ee904c
    • Instruction ID: b0ec18903c6f5a32fdf56956a5ac9db02434d72493a765b80ce3b943fa7bf18d
    • Opcode Fuzzy Hash: 9e09a0705a4dd3967e8f6115a6f381c645d67368cdad395b619add6e89ee904c
    • Instruction Fuzzy Hash: 44518E75A593158FC700DF2AC48026AF7F5FBC8308F25892EE898D7B01E774D9498B92
    Function 6CE64840 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 6CE6484F
    • fwrite.MSVCRT ref: 6CE6489D
    • abort.MSVCRT ref: 6CE648A2
    • free.MSVCRT ref: 6CE648C5
      • Part of subcall function 6CE64790: _beginthread.MSVCRT ref: 6CE647B6
      • Part of subcall function 6CE64790: _errno.MSVCRT ref: 6CE647C1
      • Part of subcall function 6CE64790: _errno.MSVCRT ref: 6CE647C8
      • Part of subcall function 6CE64790: fprintf.MSVCRT ref: 6CE647E8
      • Part of subcall function 6CE64790: abort.MSVCRT ref: 6CE647ED
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
    • String ID: +$runtime/cgo: out of memory in thread_start
    • API String ID: 2633710936-1802439445
    • Opcode ID: 2a4df51c3d52f651cd5896cd533c48a9a8af485f4be29a57b81058e82165b1ae
    • Instruction ID: 04a1fd101a8acb69e101e0ad2887aff99be765910ef965d90853fbe29b16a377
    • Opcode Fuzzy Hash: 2a4df51c3d52f651cd5896cd533c48a9a8af485f4be29a57b81058e82165b1ae
    • Instruction Fuzzy Hash: BC2129B4A55340CFC700EF29D09551ABBF0FF8A304F51899DE9888BB22D3399845CF92
    Function 6CE64490 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6CE644B2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CE64569), ref: 6CE644CB
    • fwrite.MSVCRT ref: 6CE64500
    • abort.MSVCRT ref: 6CE64505
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6CE644F9
    • =, xrefs: 6CE644E5
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: 5aa8d02a148e011d4edc8b52673d2a52ad3a0b7be76ab98da6e108ee4dbd6d78
    • Instruction ID: 5fce03144dfc7efb222f9a1ded7f8cac03a59c8f512500474fb2159327226e85
    • Opcode Fuzzy Hash: 5aa8d02a148e011d4edc8b52673d2a52ad3a0b7be76ab98da6e108ee4dbd6d78
    • Instruction Fuzzy Hash: A2F0C9B09153019FE740BF69C01936ABAF0BB81308FA2885ED49887A42DB7A91488F53
    Function 6CDE1020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CDE12E0,?,?,?,?,?,?,6CDE13A3), ref: 6CDE1057
    • _amsg_exit.MSVCRT ref: 6CDE1085
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: 595e261d20def58f91e7a61ccb5dec58322c7c07241f88dcf2dd8816b644903d
    • Instruction ID: 58f057e137707bc138546f4262018f5f3452d46662c6d7b2413787ef4e1f5362
    • Opcode Fuzzy Hash: 595e261d20def58f91e7a61ccb5dec58322c7c07241f88dcf2dd8816b644903d
    • Instruction Fuzzy Hash: B641A2B1B19201CBEB40AF5DD48575AB7F1EB99348F50852ED4988BB17D735C884CB82
    Function 6CE64D3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32 ref: 6CE64D0D
    • VirtualProtect.KERNEL32 ref: 6CE64D67
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CEFCA48), ref: 6CE64D74
      • Part of subcall function 6CE65A10: fwrite.MSVCRT ref: 6CE65A3F
      • Part of subcall function 6CE65A10: vfprintf.MSVCRT ref: 6CE65A5F
      • Part of subcall function 6CE65A10: abort.MSVCRT ref: 6CE65A64
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$@
    • API String ID: 1616349570-2953866262
    • Opcode ID: 25b609be4bfe0d1dc40695c670182bac089194a65c2a0bdbe99813a87a12cade
    • Instruction ID: 26edfeea541047a295eef07c384a85d6c552279a4e9b8c63458092fa3f12cb73
    • Opcode Fuzzy Hash: 25b609be4bfe0d1dc40695c670182bac089194a65c2a0bdbe99813a87a12cade
    • Instruction Fuzzy Hash: 052157B6A143018FD740EF29C48461ABBF0BB9931CF65CA2AD89887B15E330E508CB52
    Function 6CE64310 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessagefprintf
    • String ID: Erro: %s
    • API String ID: 659079672-2412703935
    • Opcode ID: 2c7333b09aaa1a18b229b3b5b6dfe94d2cc0c24041db00ed46380e7dca5bdc26
    • Instruction ID: 412741f91c0059a2aa237173a0da7786db09bf72de60f86847736b2121b23758
    • Opcode Fuzzy Hash: 2c7333b09aaa1a18b229b3b5b6dfe94d2cc0c24041db00ed46380e7dca5bdc26
    • Instruction Fuzzy Hash: F4019DB09183019FDB00FF65C09931EBFF0AB88349F10891EE8D89B651E77982488F93
    Function 6CE634E0 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6CE6353F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CE643CF), ref: 6CE6357A
    • malloc.MSVCRT ref: 6CE635A8
    • qsort.MSVCRT ref: 6CE635F6
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: c37bb1a41aafe7d4eb201e05f274257656618e723cb6af7310d7a7ae3c2f93f5
    • Instruction ID: e49e64787eaf8b3c23c043975a49f386f187fc27b361a92fdfced31bbc8397cf
    • Opcode Fuzzy Hash: c37bb1a41aafe7d4eb201e05f274257656618e723cb6af7310d7a7ae3c2f93f5
    • Instruction Fuzzy Hash: 2C418075A543018FD710DF2AC48062ABBF1FF84318F25892DE88987B61E774E848CB92
    Function 6CE64030 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: bdc189fabee65787c565fd4e6e5816f0fa810dc5b201a9890c85a2a618693ba0
    • Instruction ID: b8e6a9c75f7ff0ea27db55dbab0a2e8a9d4e64641b082f6db642b70e94cbe9cb
    • Opcode Fuzzy Hash: bdc189fabee65787c565fd4e6e5816f0fa810dc5b201a9890c85a2a618693ba0
    • Instruction Fuzzy Hash: 8521D571764200CBD700EF3AC854A56B7F0AF8631CF248A2AE9A5CB791DB35E845CB52
    Function 6CE658B0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
    • Instruction ID: 36309935bcbdfa62fbabdcaa6596413c248222ad2365a723ab5beffd90e059f1
    • Opcode Fuzzy Hash: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
    • Instruction Fuzzy Hash: E9113D707A63018BD7009F2AC48075A7BF4FF45368F648669D4A8CBF86DB38D445CB52
    Function 6CE64A30 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6CE64A69
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CDE13B9), ref: 6CE64A7A
    • GetCurrentThreadId.KERNEL32 ref: 6CE64A82
    • GetTickCount.KERNEL32 ref: 6CE64A8A
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CDE13B9), ref: 6CE64A99
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: ca0e4beba323d3ba12b6766cd6e15ece160ed9ae67111a3f982fd0b4e6b5ba2d
    • Instruction ID: f61ac9cff094571311d43b18ab88005a680ab64adcccf63e0a21e9fde22f169d
    • Opcode Fuzzy Hash: ca0e4beba323d3ba12b6766cd6e15ece160ed9ae67111a3f982fd0b4e6b5ba2d
    • Instruction Fuzzy Hash: 48114FB6B693018BCB40FF79E98865BBBF0FB89258F11493AE444C7700EA35D5498792
    Function 6CE645C0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6CE645F0
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CE62DB9), ref: 6CE645FC
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CE62DB9), ref: 6CE6460E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CE62DB9), ref: 6CE6461E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CE62DB9), ref: 6CE64630
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 02db377f3186ac92f01666f907f007b2b88c518b7cc7ce01c3049c1a30037721
    • Instruction ID: d1d76221d68083ae127613fc3748245efb38a75b5892c3e23f2928c74f092f29
    • Opcode Fuzzy Hash: 02db377f3186ac92f01666f907f007b2b88c518b7cc7ce01c3049c1a30037721
    • Instruction Fuzzy Hash: 930152B1D14345CBDA00FF79958551ABFB4AB93318F22852ED89047752D630E45DCB93
    Function 6CE65A10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6CE65A38
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: f936a778c0049785ca711a620f49a5d4c19fd09534cf74ee8569c8db4c9dc6d1
    • Instruction ID: 5066d85e69de0bd0c03014099f97d9deefe0d6bf6cd6cb4dc4f720c85cd44d0a
    • Opcode Fuzzy Hash: f936a778c0049785ca711a620f49a5d4c19fd09534cf74ee8569c8db4c9dc6d1
    • Instruction Fuzzy Hash: 41E0C2B069A3009EC300AF6AC08529EBAF8BF89348F61991CD4C947F53C7789489CF53
    Function 6CE64DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CDE12A5), ref: 6CE64EE9
    Strings
    • Unknown pseudo relocation bit size %d., xrefs: 6CE64F79
    • Unknown pseudo relocation protocol version %d., xrefs: 6CE65044
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: 0f39e53407ad378a8f29662a334c6fc915434cca92fd707198b8bcaa9382579f
    • Instruction ID: 1718460ce3d18ce62f8c8f83230c903658e1d4a08a716c286ad87c5c088255ad
    • Opcode Fuzzy Hash: 0f39e53407ad378a8f29662a334c6fc915434cca92fd707198b8bcaa9382579f
    • Instruction Fuzzy Hash: D061F031B612058FCB10EF6EC4D1699B7B1BB86318F35C52AD8269BF15D331B806CB81
    Function 6CE643A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: bsearchfprintffwrite
    • String ID: $
    • API String ID: 1110293247-3993045852
    • Opcode ID: 35a91b776d538230118eba376d65e845721775cb79aab2dd4ab1193b98f4ce25
    • Instruction ID: 802c67dad19f03b15a632407b139ee24e87c374e2bed888b018665843686bb02
    • Opcode Fuzzy Hash: 35a91b776d538230118eba376d65e845721775cb79aab2dd4ab1193b98f4ce25
    • Instruction Fuzzy Hash: 220117B55993109FD700BF2A944925EFBF0AF49318F21882EE8C987B01E7798444CF53
    Function 6CE63630 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: 441703f196e56686e6ba09e6903acdb622b5de23e9fcbd7fd1afa8717e028944
    • Instruction ID: 0020f33faacedaea7a4f6a8a067d13eb1e12a8bac79e61d3652df03f5e3f0d09
    • Opcode Fuzzy Hash: 441703f196e56686e6ba09e6903acdb622b5de23e9fcbd7fd1afa8717e028944
    • Instruction Fuzzy Hash: C021E3B5A156018BDB00EF26C1C871ABBF0BF84718F25C96DD8898BB0AD735D845CB92
    Function 6CE65050 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2242051267.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 0000000D.00000002.2241938295.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242311593.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242416705.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242517103.000000006CE69000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242598727.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2242949383.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243033008.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243201784.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243292947.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243360176.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2243425315.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 99a3d5fb25dcf8d0961172cab8751463c35e992afe8706dc82143431bd3f100c
    • Instruction ID: 171316adb085dfd7afdfe085828277bde542cc687588155da49839951dbeeb90
    • Opcode Fuzzy Hash: 99a3d5fb25dcf8d0961172cab8751463c35e992afe8706dc82143431bd3f100c
    • Instruction Fuzzy Hash: 7EF0A4B6B152118BDB40BF7DD48561A7BB4FA5530CF054528DD8547707E630E909CBE3

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:11
    Total number of Limit Nodes:1
    execution_graph 46442 6ce41d40 46443 6ce41d68 VirtualAlloc 46442->46443 46444 6ce41d59 46442->46444 46444->46443 46445 6ce64790 46446 6ce647a7 _beginthread 46445->46446 46447 6ce647f2 46446->46447 46448 6ce647c1 _errno 46446->46448 46449 6ce64800 Sleep 46448->46449 46450 6ce647c8 _errno 46448->46450 46449->46446 46451 6ce64814 46449->46451 46452 6ce647d9 fprintf abort 46450->46452 46451->46450 46452->46447

    Executed Functions

    Function 6CE64790 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6CE647D9
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabortfprintf
    • String ID: runtime: failed to create new OS thread (%d)
    • API String ID: 1261927973-3231778263
    • Opcode ID: fc2638e0f62b556afd50e30e7f5ac1e932c99d8cf84d60290ead784bf8f0a2b0
    • Instruction ID: 9b3d7483f23e86448eedc0edda04ae3d6cd2a1b5714315530ad44a92c68ac681
    • Opcode Fuzzy Hash: fc2638e0f62b556afd50e30e7f5ac1e932c99d8cf84d60290ead784bf8f0a2b0
    • Instruction Fuzzy Hash: CA01A2715693008FC700BF66D88812EBBF4EF86718F61851EE48443B12C7359444DA63
    Function 6CE41D40 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 6ce41d40-6ce41d57 9 6ce41d68-6ce41d80 VirtualAlloc 8->9 10 6ce41d59-6ce41d66 8->10 10->9
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: 7c573dc0a35f96675ed0c45ebe1b117901b7476eba003b8fe9c9de22eccbaae1
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: C8E0C2715056008FCB15DF18C2C1306BBE1EB88A00F0485A8DE098BB4AD734ED10CA92

    Non-executed Functions

    Function 6CE64AE0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6CE64B2F
    • UnhandledExceptionFilter.KERNEL32 ref: 6CE64B3F
    • GetCurrentProcess.KERNEL32 ref: 6CE64B48
    • TerminateProcess.KERNEL32 ref: 6CE64B59
    • abort.MSVCRT ref: 6CE64B62
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 9d5761706b90f07f8bbab13af72be64472ccf0a66339b146ea7250b6cfacb0e4
    • Instruction ID: cb43a9ee231f8aa4b2da0dbdad82bf11b8ca0652d7fdbf600508986b15447176
    • Opcode Fuzzy Hash: 9d5761706b90f07f8bbab13af72be64472ccf0a66339b146ea7250b6cfacb0e4
    • Instruction Fuzzy Hash: 7711E6B5E153008FCB80FF69C54575EBBF0BB66308F50852AE88887752E7359A48CF52
    Function 6CE64ADC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6CE64B2F
    • UnhandledExceptionFilter.KERNEL32 ref: 6CE64B3F
    • GetCurrentProcess.KERNEL32 ref: 6CE64B48
    • TerminateProcess.KERNEL32 ref: 6CE64B59
    • abort.MSVCRT ref: 6CE64B62
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 5ce77725e9cadd5838093d7f654e666abc18e091a941b6493ecb5e208f5d3bff
    • Instruction ID: 403ac9662da677272410b5b9a1522ec4a513ef0cda7a46e7b5f8e07267de3a28
    • Opcode Fuzzy Hash: 5ce77725e9cadd5838093d7f654e666abc18e091a941b6493ecb5e208f5d3bff
    • Instruction Fuzzy Hash: 641109B1E152008FCB80FF79C545759BBF0BB16308F10852AE94497742E7349948CF42
    Function 6CE64659 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to signal runtime initialization complete., xrefs: 6CE6470C
    • unexpected cgo_bindm on Windows, xrefs: 6CE64684
    • ;, xrefs: 6CE646F8
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabortfwrite$Event
    • String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
    • API String ID: 3057923235-924395932
    • Opcode ID: 96a5a7adc87ce55e4e7bd1a1e7d47336c2eca817f6b770989be409dc12e9596d
    • Instruction ID: aa01fbc73e733f13e313ce1ad8005e58ae116ccf1621f0c8119c69269a996d22
    • Opcode Fuzzy Hash: 96a5a7adc87ce55e4e7bd1a1e7d47336c2eca817f6b770989be409dc12e9596d
    • Instruction Fuzzy Hash: 2E11C5B2A14601CFDB40BFB9C10A35EBEF0BB92308F62892DD88547B12D7759559CB53
    Function 6CE64C80 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • @, xrefs: 6CE64D58
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6CE64DA7
    • VirtualProtect failed with code 0x%x, xrefs: 6CE64D7A
    • Address %p has no image-section, xrefs: 6CE64DBB
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 7397ecac4da53ff5fdd8ef4c8f446e264675a0f43fd4f0ce56cf3d4622a8a026
    • Instruction ID: 161aa306576682547efdfa15c04b05976403047213a692fdd0ad992a7c0a3c15
    • Opcode Fuzzy Hash: 7397ecac4da53ff5fdd8ef4c8f446e264675a0f43fd4f0ce56cf3d4622a8a026
    • Instruction Fuzzy Hash: 02418EB6A653019FD700EF6AD48465AFBF0FB95358F65CA1ED85887B05E330E408CB92
    Function 6CDE13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 51e5b6466ea9656a1c59914f0f8e735b0568513ba2c4827df104d92cc29f6261
    • Instruction ID: a8c9703a670a5a7cff2a40b6e666145bc33bc6f7f11f8c68f8e4a87f55059998
    • Opcode Fuzzy Hash: 51e5b6466ea9656a1c59914f0f8e735b0568513ba2c4827df104d92cc29f6261
    • Instruction Fuzzy Hash: 3C0171B6A293049BCB407F7A950731EBFF4AB46244F11852DD8C987B12D7309504CBA3
    Function 6CE632D0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: 9e09a0705a4dd3967e8f6115a6f381c645d67368cdad395b619add6e89ee904c
    • Instruction ID: b0ec18903c6f5a32fdf56956a5ac9db02434d72493a765b80ce3b943fa7bf18d
    • Opcode Fuzzy Hash: 9e09a0705a4dd3967e8f6115a6f381c645d67368cdad395b619add6e89ee904c
    • Instruction Fuzzy Hash: 44518E75A593158FC700DF2AC48026AF7F5FBC8308F25892EE898D7B01E774D9498B92
    Function 6CE64840 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 6CE6484F
    • fwrite.MSVCRT ref: 6CE6489D
    • abort.MSVCRT ref: 6CE648A2
    • free.MSVCRT ref: 6CE648C5
      • Part of subcall function 6CE64790: _beginthread.MSVCRT ref: 6CE647B6
      • Part of subcall function 6CE64790: _errno.MSVCRT ref: 6CE647C1
      • Part of subcall function 6CE64790: _errno.MSVCRT ref: 6CE647C8
      • Part of subcall function 6CE64790: fprintf.MSVCRT ref: 6CE647E8
      • Part of subcall function 6CE64790: abort.MSVCRT ref: 6CE647ED
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
    • String ID: +$runtime/cgo: out of memory in thread_start
    • API String ID: 2633710936-1802439445
    • Opcode ID: 2a4df51c3d52f651cd5896cd533c48a9a8af485f4be29a57b81058e82165b1ae
    • Instruction ID: 04a1fd101a8acb69e101e0ad2887aff99be765910ef965d90853fbe29b16a377
    • Opcode Fuzzy Hash: 2a4df51c3d52f651cd5896cd533c48a9a8af485f4be29a57b81058e82165b1ae
    • Instruction Fuzzy Hash: BC2129B4A55340CFC700EF29D09551ABBF0FF8A304F51899DE9888BB22D3399845CF92
    Function 6CE64490 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6CE644B2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CE64569), ref: 6CE644CB
    • fwrite.MSVCRT ref: 6CE64500
    • abort.MSVCRT ref: 6CE64505
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6CE644F9
    • =, xrefs: 6CE644E5
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: 5aa8d02a148e011d4edc8b52673d2a52ad3a0b7be76ab98da6e108ee4dbd6d78
    • Instruction ID: 5fce03144dfc7efb222f9a1ded7f8cac03a59c8f512500474fb2159327226e85
    • Opcode Fuzzy Hash: 5aa8d02a148e011d4edc8b52673d2a52ad3a0b7be76ab98da6e108ee4dbd6d78
    • Instruction Fuzzy Hash: A2F0C9B09153019FE740BF69C01936ABAF0BB81308FA2885ED49887A42DB7A91488F53
    Function 6CDE1020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CDE12E0,?,?,?,?,?,?,6CDE13A3), ref: 6CDE1057
    • _amsg_exit.MSVCRT ref: 6CDE1085
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: 595e261d20def58f91e7a61ccb5dec58322c7c07241f88dcf2dd8816b644903d
    • Instruction ID: 58f057e137707bc138546f4262018f5f3452d46662c6d7b2413787ef4e1f5362
    • Opcode Fuzzy Hash: 595e261d20def58f91e7a61ccb5dec58322c7c07241f88dcf2dd8816b644903d
    • Instruction Fuzzy Hash: B641A2B1B19201CBEB40AF5DD48575AB7F1EB99348F50852ED4988BB17D735C884CB82
    Function 6CE64D3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32 ref: 6CE64D0D
    • VirtualProtect.KERNEL32 ref: 6CE64D67
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CEFCA48), ref: 6CE64D74
      • Part of subcall function 6CE65A10: fwrite.MSVCRT ref: 6CE65A3F
      • Part of subcall function 6CE65A10: vfprintf.MSVCRT ref: 6CE65A5F
      • Part of subcall function 6CE65A10: abort.MSVCRT ref: 6CE65A64
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$@
    • API String ID: 1616349570-2953866262
    • Opcode ID: 25b609be4bfe0d1dc40695c670182bac089194a65c2a0bdbe99813a87a12cade
    • Instruction ID: 26edfeea541047a295eef07c384a85d6c552279a4e9b8c63458092fa3f12cb73
    • Opcode Fuzzy Hash: 25b609be4bfe0d1dc40695c670182bac089194a65c2a0bdbe99813a87a12cade
    • Instruction Fuzzy Hash: 052157B6A143018FD740EF29C48461ABBF0BB9931CF65CA2AD89887B15E330E508CB52
    Function 6CE64310 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessagefprintf
    • String ID: Erro: %s
    • API String ID: 659079672-2412703935
    • Opcode ID: 2c7333b09aaa1a18b229b3b5b6dfe94d2cc0c24041db00ed46380e7dca5bdc26
    • Instruction ID: 412741f91c0059a2aa237173a0da7786db09bf72de60f86847736b2121b23758
    • Opcode Fuzzy Hash: 2c7333b09aaa1a18b229b3b5b6dfe94d2cc0c24041db00ed46380e7dca5bdc26
    • Instruction Fuzzy Hash: F4019DB09183019FDB00FF65C09931EBFF0AB88349F10891EE8D89B651E77982488F93
    Function 6CE634E0 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6CE6353F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CE643CF), ref: 6CE6357A
    • malloc.MSVCRT ref: 6CE635A8
    • qsort.MSVCRT ref: 6CE635F6
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: c37bb1a41aafe7d4eb201e05f274257656618e723cb6af7310d7a7ae3c2f93f5
    • Instruction ID: e49e64787eaf8b3c23c043975a49f386f187fc27b361a92fdfced31bbc8397cf
    • Opcode Fuzzy Hash: c37bb1a41aafe7d4eb201e05f274257656618e723cb6af7310d7a7ae3c2f93f5
    • Instruction Fuzzy Hash: 2C418075A543018FD710DF2AC48062ABBF1FF84318F25892DE88987B61E774E848CB92
    Function 6CE64030 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: bdc189fabee65787c565fd4e6e5816f0fa810dc5b201a9890c85a2a618693ba0
    • Instruction ID: b8e6a9c75f7ff0ea27db55dbab0a2e8a9d4e64641b082f6db642b70e94cbe9cb
    • Opcode Fuzzy Hash: bdc189fabee65787c565fd4e6e5816f0fa810dc5b201a9890c85a2a618693ba0
    • Instruction Fuzzy Hash: 8521D571764200CBD700EF3AC854A56B7F0AF8631CF248A2AE9A5CB791DB35E845CB52
    Function 6CE658B0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
    • Instruction ID: 36309935bcbdfa62fbabdcaa6596413c248222ad2365a723ab5beffd90e059f1
    • Opcode Fuzzy Hash: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
    • Instruction Fuzzy Hash: E9113D707A63018BD7009F2AC48075A7BF4FF45368F648669D4A8CBF86DB38D445CB52
    Function 6CE64A30 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6CE64A69
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CDE13B9), ref: 6CE64A7A
    • GetCurrentThreadId.KERNEL32 ref: 6CE64A82
    • GetTickCount.KERNEL32 ref: 6CE64A8A
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CDE13B9), ref: 6CE64A99
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: ca0e4beba323d3ba12b6766cd6e15ece160ed9ae67111a3f982fd0b4e6b5ba2d
    • Instruction ID: f61ac9cff094571311d43b18ab88005a680ab64adcccf63e0a21e9fde22f169d
    • Opcode Fuzzy Hash: ca0e4beba323d3ba12b6766cd6e15ece160ed9ae67111a3f982fd0b4e6b5ba2d
    • Instruction Fuzzy Hash: 48114FB6B693018BCB40FF79E98865BBBF0FB89258F11493AE444C7700EA35D5498792
    Function 6CE645C0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6CE645F0
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CE62DB9), ref: 6CE645FC
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CE62DB9), ref: 6CE6460E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CE62DB9), ref: 6CE6461E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CE62DB9), ref: 6CE64630
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 02db377f3186ac92f01666f907f007b2b88c518b7cc7ce01c3049c1a30037721
    • Instruction ID: d1d76221d68083ae127613fc3748245efb38a75b5892c3e23f2928c74f092f29
    • Opcode Fuzzy Hash: 02db377f3186ac92f01666f907f007b2b88c518b7cc7ce01c3049c1a30037721
    • Instruction Fuzzy Hash: 930152B1D14345CBDA00FF79958551ABFB4AB93318F22852ED89047752D630E45DCB93
    Function 6CE65A10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6CE65A38
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: f936a778c0049785ca711a620f49a5d4c19fd09534cf74ee8569c8db4c9dc6d1
    • Instruction ID: 5066d85e69de0bd0c03014099f97d9deefe0d6bf6cd6cb4dc4f720c85cd44d0a
    • Opcode Fuzzy Hash: f936a778c0049785ca711a620f49a5d4c19fd09534cf74ee8569c8db4c9dc6d1
    • Instruction Fuzzy Hash: 41E0C2B069A3009EC300AF6AC08529EBAF8BF89348F61991CD4C947F53C7789489CF53
    Function 6CE64DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CDE12A5), ref: 6CE64EE9
    Strings
    • Unknown pseudo relocation protocol version %d., xrefs: 6CE65044
    • Unknown pseudo relocation bit size %d., xrefs: 6CE64F79
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: 0f39e53407ad378a8f29662a334c6fc915434cca92fd707198b8bcaa9382579f
    • Instruction ID: 1718460ce3d18ce62f8c8f83230c903658e1d4a08a716c286ad87c5c088255ad
    • Opcode Fuzzy Hash: 0f39e53407ad378a8f29662a334c6fc915434cca92fd707198b8bcaa9382579f
    • Instruction Fuzzy Hash: D061F031B612058FCB10EF6EC4D1699B7B1BB86318F35C52AD8269BF15D331B806CB81
    Function 6CE643A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: bsearchfprintffwrite
    • String ID: $
    • API String ID: 1110293247-3993045852
    • Opcode ID: 35a91b776d538230118eba376d65e845721775cb79aab2dd4ab1193b98f4ce25
    • Instruction ID: 802c67dad19f03b15a632407b139ee24e87c374e2bed888b018665843686bb02
    • Opcode Fuzzy Hash: 35a91b776d538230118eba376d65e845721775cb79aab2dd4ab1193b98f4ce25
    • Instruction Fuzzy Hash: 220117B55993109FD700BF2A944925EFBF0AF49318F21882EE8C987B01E7798444CF53
    Function 6CE63630 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: 441703f196e56686e6ba09e6903acdb622b5de23e9fcbd7fd1afa8717e028944
    • Instruction ID: 0020f33faacedaea7a4f6a8a067d13eb1e12a8bac79e61d3652df03f5e3f0d09
    • Opcode Fuzzy Hash: 441703f196e56686e6ba09e6903acdb622b5de23e9fcbd7fd1afa8717e028944
    • Instruction Fuzzy Hash: C021E3B5A156018BDB00EF26C1C871ABBF0BF84718F25C96DD8898BB0AD735D845CB92
    Function 6CE65050 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2238506650.000000006CDE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDE0000, based on PE: true
    • Associated: 00000011.00000002.2238405658.000000006CDE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238774672.000000006CE66000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238875021.000000006CE67000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239067882.000000006CE6B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CE6D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239202720.000000006CED5000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239668725.000000006CEFF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF05000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239790927.000000006CF09000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240043688.000000006CF3D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240172945.000000006CF44000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240294819.000000006CF45000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2240420424.000000006CF48000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cde0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 99a3d5fb25dcf8d0961172cab8751463c35e992afe8706dc82143431bd3f100c
    • Instruction ID: 171316adb085dfd7afdfe085828277bde542cc687588155da49839951dbeeb90
    • Opcode Fuzzy Hash: 99a3d5fb25dcf8d0961172cab8751463c35e992afe8706dc82143431bd3f100c
    • Instruction Fuzzy Hash: 7EF0A4B6B152118BDB40BF7DD48561A7BB4FA5530CF054528DD8547707E630E909CBE3