Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xDiFxvBGxr.dll

Overview

General Information

Sample name:xDiFxvBGxr.dll
renamed because original name is a hash value
Original sample name:4e9da8e38d853b28552c0e6fab42435765d199ff7274dda0bf9056eb28d561d4.dll
Analysis ID:1544805
MD5:61bfb54126141190fb295481d67f8ca1
SHA1:c4100746f947bf262024d57f9542cd35bb6088e3
SHA256:4e9da8e38d853b28552c0e6fab42435765d199ff7274dda0bf9056eb28d561d4
Tags:2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7696 cmdline: loaddll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7768 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7812 cmdline: rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 7972 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7812 -s 864 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7792 cmdline: rundll32.exe C:\Users\user\Desktop\xDiFxvBGxr.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7964 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7792 -s 824 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 8032 cmdline: rundll32.exe C:\Users\user\Desktop\xDiFxvBGxr.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8100 cmdline: rundll32.exe C:\Users\user\Desktop\xDiFxvBGxr.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8164 cmdline: rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7500 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8164 -s 804 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 5688 cmdline: rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7248 cmdline: rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7468 cmdline: rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 336 cmdline: rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SpellSpell MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6256 cmdline: rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SpellInit MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6824 cmdline: rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SpellFree MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3676 cmdline: rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6196 cmdline: rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6536 cmdline: rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability

Bitcoin Miner

barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2A1830 4_2_6D2A1830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF01830 13_2_6CF01830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF01830 17_2_6CF01830
Source: xDiFxvBGxr.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: xDiFxvBGxr.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax4_2_6D272CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax4_2_6D272CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx4_2_6D28CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh4_2_6D299030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh4_2_6D29A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax13_2_6CED2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax13_2_6CED2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx13_2_6CEECEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh13_2_6CEF9030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh13_2_6CEFA360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax17_2_6CED2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax17_2_6CED2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx17_2_6CEECEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh17_2_6CEF9030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh17_2_6CEFA360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2A1A70 NtCreateWaitCompletionPacket,4_2_6D2A1A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2A2A90 NtCreateWaitCompletionPacket,4_2_6D2A2A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2A1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,4_2_6D2A1570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2A11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,4_2_6D2A11F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF02A90 NtCreateWaitCompletionPacket,13_2_6CF02A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF01A70 NtCreateWaitCompletionPacket,13_2_6CF01A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF01570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,13_2_6CF01570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF011F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,13_2_6CF011F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF02A90 NtCreateWaitCompletionPacket,17_2_6CF02A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF01A70 NtCreateWaitCompletionPacket,17_2_6CF01A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF01570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,17_2_6CF01570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF011F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,17_2_6CF011F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2CBD404_2_6D2CBD40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2F6D404_2_6D2F6D40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D29AD504_2_6D29AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D272CA64_2_6D272CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D272CA04_2_6D272CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D302F904_2_6D302F90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2ACF904_2_6D2ACF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2C5FF04_2_6D2C5FF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2F4E404_2_6D2F4E40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D27BE904_2_6D27BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2DA9924_2_6D2DA992
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2859F04_2_6D2859F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D29D9C54_2_6D29D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2CD8004_2_6D2CD800
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2EE8604_2_6D2EE860
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2F68604_2_6D2F6860
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D307B104_2_6D307B10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D29BB104_2_6D29BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D27FBC04_2_6D27FBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D29CA304_2_6D29CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D280AF04_2_6D280AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2F5AF04_2_6D2F5AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2934004_2_6D293400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2B64704_2_6D2B6470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2D344F4_2_6D2D344F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2914404_2_6D291440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2966304_2_6D296630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2F26804_2_6D2F2680
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2C86904_2_6D2C8690
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2F96C04_2_6D2F96C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D29C6D04_2_6D29C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2A60104_2_6D2A6010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2ED0104_2_6D2ED010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D29D0404_2_6D29D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2880A04_2_6D2880A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D29C0804_2_6D29C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2790F04_2_6D2790F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2AA3204_2_6D2AA320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D3033504_2_6D303350
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2D73A04_2_6D2D73A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2993F04_2_6D2993F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2AE2404_2_6D2AE240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2732A04_2_6D2732A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D29B2D04_2_6D29B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CED2CA613_2_6CED2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CED2CA013_2_6CED2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF2BD4013_2_6CF2BD40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF56D4013_2_6CF56D40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEFAD5013_2_6CEFAD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEDBE9013_2_6CEDBE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF54E4013_2_6CF54E40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF25FF013_2_6CF25FF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF0CF9013_2_6CF0CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF62F9013_2_6CF62F90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF4E86013_2_6CF4E860
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF5686013_2_6CF56860
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF2D80013_2_6CF2D800
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEE59F013_2_6CEE59F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEFD9C513_2_6CEFD9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF3A99213_2_6CF3A992
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF55AF013_2_6CF55AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEE0AF013_2_6CEE0AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEFCA3013_2_6CEFCA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEDFBC013_2_6CEDFBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF67B1013_2_6CF67B10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEFBB1013_2_6CEFBB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF1647013_2_6CF16470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEF144013_2_6CEF1440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF3344F13_2_6CF3344F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEF340013_2_6CEF3400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF596C013_2_6CF596C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEFC6D013_2_6CEFC6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF2869013_2_6CF28690
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF5268013_2_6CF52680
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEF663013_2_6CEF6630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CED90F013_2_6CED90F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEE80A013_2_6CEE80A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEFC08013_2_6CEFC080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEFD04013_2_6CEFD040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF0601013_2_6CF06010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF4D01013_2_6CF4D010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEFB2D013_2_6CEFB2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CED32A013_2_6CED32A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF0E24013_2_6CF0E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEF93F013_2_6CEF93F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF373A013_2_6CF373A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF6335013_2_6CF63350
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF0A32013_2_6CF0A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CED2CA617_2_6CED2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CED2CA017_2_6CED2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF2BD4017_2_6CF2BD40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF56D4017_2_6CF56D40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEFAD5017_2_6CEFAD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEDBE9017_2_6CEDBE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF54E4017_2_6CF54E40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF25FF017_2_6CF25FF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF0CF9017_2_6CF0CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF62F9017_2_6CF62F90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF4E86017_2_6CF4E860
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF5686017_2_6CF56860
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF2D80017_2_6CF2D800
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEE59F017_2_6CEE59F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEFD9C517_2_6CEFD9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF3A99217_2_6CF3A992
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF55AF017_2_6CF55AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEE0AF017_2_6CEE0AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEFCA3017_2_6CEFCA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEDFBC017_2_6CEDFBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF67B1017_2_6CF67B10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEFBB1017_2_6CEFBB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF1647017_2_6CF16470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEF144017_2_6CEF1440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF3344F17_2_6CF3344F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEF340017_2_6CEF3400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF596C017_2_6CF596C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEFC6D017_2_6CEFC6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF2869017_2_6CF28690
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF5268017_2_6CF52680
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEF663017_2_6CEF6630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CED90F017_2_6CED90F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEE80A017_2_6CEE80A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEFC08017_2_6CEFC080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEFD04017_2_6CEFD040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF0601017_2_6CF06010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF4D01017_2_6CF4D010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEFB2D017_2_6CEFB2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CED32A017_2_6CED32A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF0E24017_2_6CF0E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEF93F017_2_6CEF93F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF373A017_2_6CF373A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF6335017_2_6CF63350
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF0A32017_2_6CF0A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CF36BB0 appears 964 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CF03B30 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D2D6BB0 appears 482 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CF05080 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D2A7410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CF07410 appears 1386 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CF35860 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CED2C30 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7792 -s 824
Source: xDiFxvBGxr.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engineClassification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D305CF0 GetLastError,FormatMessageA,LocalFree,4_2_6D305CF0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\045777b6-e412-4cd2-bb5c-c660db4c6c29Jump to behavior
Source: xDiFxvBGxr.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\xDiFxvBGxr.dll,BarCreate
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exeString found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exeString found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: rundll32.exeString found in binary or memory: 00accessing a corrupted shared librarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser a
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\xDiFxvBGxr.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7792 -s 824
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7812 -s 864
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\xDiFxvBGxr.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\xDiFxvBGxr.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8164 -s 804
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\xDiFxvBGxr.dll,BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\xDiFxvBGxr.dll,BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\xDiFxvBGxr.dll,BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",_cgo_dummy_exportJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SpellSpellJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SpellInitJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SpellFreeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SignalInitializeCrashReportingJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",GetInstallDetailsPayloadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarRecognizeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: xDiFxvBGxr.dllStatic PE information: Image base 0x6d8c0000 > 0x60000000
Source: xDiFxvBGxr.dllStatic file information: File size 1397248 > 1048576
Source: xDiFxvBGxr.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2713E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,4_2_6D2713E0
Source: xDiFxvBGxr.dllStatic PE information: real checksum: 0x162d6f should be: 0x15b6c1
Source: xDiFxvBGxr.dllStatic PE information: section name: .eh_fram
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0183C3C1 push ebp; retf 0_2_0183C3C3
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0183D80F push edi; iretd 0_2_0183D827
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0183AF34 push eax; retf 0_2_0183AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C3AF34 push eax; retf 5_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0483AF34 push eax; retf 11_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0443AF34 push eax; retf 12_2_0443AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0443D7FC push ebp; iretd 12_2_0443D7FE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04C3AF34 push eax; retf 14_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04C80371 push cs; ret 14_2_04C8037A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04C3AF34 push eax; retf 15_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04C3D81A push 8BF3197Ch; iretd 19_2_04C3D821
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04D021B6 push cs; iretd 19_2_04D02335
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_0443C8C5 pushfd ; iretd 20_2_0443C8CC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_0443AF34 push eax; retf 20_2_0443AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0503C3DA push ecx; retf 21_2_0503C3DB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0503AF34 push eax; retf 21_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_04C3AF34 push eax; retf 22_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_0543AF34 push eax; retf 23_2_0543AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0443AF34 push eax; retf 24_2_0443AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_044803BA push es; retf 24_2_044803C3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_044808F7 push ss; retf 24_2_044808F8
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2DC1E0 rdtscp 4_2_6D2DC1E0
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 0.8 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2DC1E0 rdtscp 4_2_6D2DC1E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2713E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,4_2_6D2713E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D304FE0 free,free,GetProcessHeap,HeapFree,4_2_6D304FE0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2A1C90 RtlGetVersion,RtlGetCurrentPeb,4_2_6D2A1C90

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		1
Rundll32		OS Credential Dumping3
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Virtualization/Sandbox Evasion		LSASS Memory11
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544805 Sample: xDiFxvBGxr.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->29 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
xDiFxvBGxr.dll5%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1544805
Start date and time:2024-10-29 19:09:56 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 48s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:29
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:xDiFxvBGxr.dll
renamed because original name is a hash value
Original Sample Name:4e9da8e38d853b28552c0e6fab42435765d199ff7274dda0bf9056eb28d561d4.dll
Detection:MAL
Classification:mal48.mine.winDLL@35/0@0/0
EGA Information:
  • Successful, ratio: 20%
HCA Information:
  • Successful, ratio: 67%
  • Number of executed functions: 7
  • Number of non-executed functions: 126
Cookbook Comments:
  • Found application associated with file extension: .dll

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target loaddll32.exe, PID 7696 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 336 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 3676 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 5688 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6196 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6256 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6536 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6824 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7248 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7812 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 8032 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 8100 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • VT rate limit hit for: xDiFxvBGxr.dll

Simulations

Behavior and APIs

TimeTypeDescription
14:11:04API Interceptor1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):6.290189181087446
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:xDiFxvBGxr.dll
File size:1'397'248 bytes
MD5:61bfb54126141190fb295481d67f8ca1
SHA1:c4100746f947bf262024d57f9542cd35bb6088e3
SHA256:4e9da8e38d853b28552c0e6fab42435765d199ff7274dda0bf9056eb28d561d4
SHA512:db9f122c8b2d8d43acc3066f0ce55c28c47674280b40ad2ee80bfedb2cc4582763a33fb9369127b8ae32558584112de83a8e83ab95898e7bf8de118e6ac5dca4
SSDEEP:24576:+L6QjsFnfL4vQ1BA7w/rFIWz1sPdatv3a7AAD0OnHOQo:+7hSs/IEML
TLSH:25552900FD8744F1E003263285A7A2AF63256D095F31DBD7FB48BA7DFA736950836296
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...*.....N...N.................m................................o-....@... ...................... ..-..

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x6d8c1390
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x6d8c0000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:0x6d95b710, 0x6d95b6c0
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:fc4278e40a172f1e8b037cb3d2809e66

Entrypoint Preview

Instruction
sub esp, 0Ch
mov dword ptr [6DA31D9Ch], 00000000h
mov ecx, dword ptr [esp+18h]
mov edx, dword ptr [esp+14h]
mov eax, dword ptr [esp+10h]
call 00007F7024B81F17h
add esp, 0Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 6DA0D000h
mov dword ptr [esp+04h], eax
call 00007F7024C1D4AEh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 6D964000h
call dword ptr [6DA33224h]
sub esp, 04h
test eax, eax
je 00007F7024B82135h
mov ebx, eax
mov dword ptr [esp], 6D964000h
call dword ptr [6DA3326Ch]
mov edi, dword ptr [6DA33230h]
sub esp, 04h
mov dword ptr [6DA0D010h], eax
mov dword ptr [esp+04h], 6D964013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 6D964029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [6D95D004h], eax
test esi, esi
je 00007F7024B820D3h
mov dword ptr [esp+04h], 6DA0D014h
mov dword ptr [esp], 6DA0B124h
call esi
mov dword ptr [eax+eax], 00000000h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x1720000x12d.edata
IMAGE_DIRECTORY_ENTRY_IMPORT0x1730000xbb0.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1760000x882c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x14a4640x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x1731dc0x1a0.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x9be780x9c000aba49137542b48febcb482750a8cc12bFalse0.473239996494391data6.303288564136092IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x9d0000x67ec0x68006335743218097df596292d1b07545000False0.4210862379807692dBase III DBT, version number 0, next free block index 1, 1st item ""4.459836588548849IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0xa40000xa68ec0xa6a006322975ffe25297d2bb1d047b0ca7b4dFalse0.431643555420105data5.601699210600243IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram0x14b0000x1e940x2000b3586cda6a9f1266d88c9bd57736d705False0.3330078125data4.772055814218093IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss0x14d0000x24df00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata0x1720000x12d0x200c87fc8f8787817a98c6f2502635f9f1eFalse0.462890625data3.4271057556060756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata0x1730000xbb00xc00f9325c52db82893fba8d59d311b3a681False0.408203125data5.213100684276811IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT0x1740000x2c0x20039d753f3f872fc69a1bf3c2eedf6fbbdFalse0.056640625data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0x1750000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x1760000x882c0x8a00dd1adb4374615c7a27f8a414af43022dFalse0.6620810688405797data6.62715025599472IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllAddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetLastError, GetModuleHandleA, GetModuleHandleW, GetNativeSystemInfo, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetThreadContext, GetThreadLocale, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, PostQueuedCompletionStatus, RaiseFailFastException, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, lstrlenA
msvcrt.dll__mb_cur_max, _amsg_exit, _beginthread, _errno, _initterm, _iob, _lock, _unlock, _wcsnicmp, abort, atoi, bsearch, calloc, fputc, free, fwrite, localeconv, malloc, mbstowcs, memcpy, memset, qsort, realloc, setlocale, strchr, strcmp, strerror, strlen, strncmp, strtol, vfprintf, wcslen, wcstombs

Exports

NameOrdinalAddress
BarCreate10x6d9546f0
BarDestroy20x6d954970
BarFreeRec30x6d954920
BarRecognize40x6d9548d0
GetInstallDetailsPayload50x6d954830
SignalInitializeCrashReporting60x6d954880
SpellFree70x6d954740
SpellInit80x6d954790
SpellSpell90x6d9547e0
_cgo_dummy_export100x6da313a8

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:14:10:54
Start date:29/10/2024
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll"
Imagebase:0xfe0000
File size:126'464 bytes
MD5 hash:51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:14:10:54
Start date:29/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff70f010000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:14:10:54
Start date:29/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",#1
Imagebase:0xc50000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:14:10:54
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\xDiFxvBGxr.dll,BarCreate
Imagebase:0x6b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:5
Start time:14:10:54
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",#1
Imagebase:0x6b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:14:10:54
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7792 -s 824
Imagebase:0x2d0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:10
Start time:14:10:54
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7812 -s 864
Imagebase:0x2d0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:11
Start time:14:10:57
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\xDiFxvBGxr.dll,BarDestroy
Imagebase:0x6b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:12
Start time:14:11:00
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\xDiFxvBGxr.dll,BarFreeRec
Imagebase:0x6b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:13
Start time:14:11:03
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarCreate
Imagebase:0x6b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:14
Start time:14:11:03
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarDestroy
Imagebase:0x6b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:15
Start time:14:11:03
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarFreeRec
Imagebase:0x6b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:17
Start time:14:11:03
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",_cgo_dummy_export
Imagebase:0x6b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:18
Start time:14:11:03
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8164 -s 804
Imagebase:0x2d0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:19
Start time:14:11:03
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SpellSpell
Imagebase:0x6b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:20
Start time:14:11:03
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SpellInit
Imagebase:0x6b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:21
Start time:14:11:03
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SpellFree
Imagebase:0x6b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:22
Start time:14:11:03
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",SignalInitializeCrashReporting
Imagebase:0x6b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:23
Start time:14:11:04
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",GetInstallDetailsPayload
Imagebase:0x6b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:24
Start time:14:11:04
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\xDiFxvBGxr.dll",BarRecognize
Imagebase:0x6b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:14
    Total number of Limit Nodes:1
    execution_graph 60881 6d3061f6 60882 6d306170 60881->60882 60883 6d306187 _beginthread 60882->60883 60884 6d3061a1 _errno 60883->60884 60885 6d3061d8 60883->60885 60886 6d3061e0 Sleep 60884->60886 60887 6d3061a8 _errno 60884->60887 60886->60883 60888 6d3061f4 60886->60888 60889 6d3061b9 60887->60889 60888->60887 60892 6d305e60 39 API calls 60889->60892 60891 6d3061cd abort 60891->60885 60892->60891 60893 6d2dcfc0 60894 6d2dcfd9 60893->60894 60895 6d2dcfe8 WriteFile 60893->60895 60894->60895

    Executed Functions

    Function 6D306170 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6D3061B9
    • `av`dv, xrefs: 6D306179
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabort
    • String ID: `av`dv$runtime: failed to create new OS thread (%d)
    • API String ID: 3675047324-324622240
    • Opcode ID: ef5d001f277d717ff98f75bc24f0e57eefdb28c6d33682a1593618a62c863fb8
    • Instruction ID: 415522a818a4efef16b1693ab02cc6c02f552dfd2afc09df6c8c5b2f9a957fbf
    • Opcode Fuzzy Hash: ef5d001f277d717ff98f75bc24f0e57eefdb28c6d33682a1593618a62c863fb8
    • Instruction Fuzzy Hash: 24016DB4409314AFC710AF68C88976EBBF8FF86355F45891DE5C953252C731A484DBA3
    Function 6D3061F6 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 37sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6D3061B9
    • `av`dv, xrefs: 6D306179
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabort
    • String ID: `av`dv$runtime: failed to create new OS thread (%d)
    • API String ID: 3675047324-324622240
    • Opcode ID: 47dca6869af86da9c28ad5f37e964a8731a2e5100acd2d0ef962e5516ae7a6ea
    • Instruction ID: 77de0ffb5c4e99eb1316cf0fe43c74eb15fd968795c0c5ae29ea380b1b6ac5c1
    • Opcode Fuzzy Hash: 47dca6869af86da9c28ad5f37e964a8731a2e5100acd2d0ef962e5516ae7a6ea
    • Instruction Fuzzy Hash: 66014FB5409710DFC710AF68C8897AABBF8FF8A355F45894DE6D853262C731A440CBA2
    Function 6D2DCFC0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 21 6d2dcfc0-6d2dcfd7 22 6d2dcfd9-6d2dcfe6 21->22 23 6d2dcfe8-6d2dd000 WriteFile 21->23 22->23
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: c4251a408a2c7baa00ef1aceca4a43fa8365684ae023fe62e55a00f454683a32
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 30E0E571505600CFCB15DF18C2C171ABBE1EB48A00F0485A8DE098F74AD734ED10DB92

    Non-executed Functions

    Function 6D2859F0 Relevance: 18.5, Strings: 14, Instructions: 1019COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1128 6d2859f0-6d285a05 1129 6d285a0b-6d285a31 call 6d2e0aa0 1128->1129 1130 6d286c61-6d286c66 call 6d2daf70 1128->1130 1135 6d285a3a-6d285a3d 1129->1135 1136 6d285a33-6d285a38 1129->1136 1130->1128 1137 6d285a40-6d285aa7 call 6d2e0ad0 call 6d2dd110 1135->1137 1136->1137 1142 6d285aa9-6d285ab1 call 6d2dc380 1137->1142 1143 6d285ab3-6d285b83 call 6d2a9e30 call 6d2dae80 * 2 call 6d2a9a20 1137->1143 1142->1143 1154 6d285b8b-6d285b93 call 6d2c9cc0 1143->1154 1155 6d285b85-6d285b89 1143->1155 1157 6d285b97-6d285b99 1154->1157 1155->1157 1159 6d285b9b-6d285bca call 6d2ca260 call 6d2c9df0 1157->1159 1160 6d285bcf-6d285be5 1157->1160 1159->1160 1162 6d285bf1-6d285c00 1160->1162 1163 6d285be7-6d285bef call 6d2dc380 1160->1163 1166 6d286c4a-6d286c60 call 6d2d6bb0 1162->1166 1167 6d285c06-6d285f1c call 6d2e0ad0 call 6d2dae80 call 6d2dd110 call 6d2dd170 call 6d2e0af0 * 2 call 6d29fc30 call 6d2cf930 * 2 call 6d2e0910 * 3 1162->1167 1163->1162 1166->1130 1196 6d285f1e 1167->1196 1197 6d285f24-6d285fc2 call 6d27a4e0 call 6d2aed60 call 6d27a700 call 6d291f00 call 6d2885c0 call 6d29ce30 call 6d2929f0 1167->1197 1196->1197 1212 6d285fd0-6d285fd2 1197->1212 1213 6d285fc4-6d285fc6 1197->1213 1216 6d285fd8-6d286095 call 6d2dc596 call 6d2dca6a call 6d2dae80 call 6d29d3f0 call 6d295470 call 6d2dae80 * 2 1212->1216 1217 6d286c1e-6d286c2f call 6d2d6bb0 1212->1217 1214 6d285fcc-6d285fce 1213->1214 1215 6d286c34-6d286c45 call 6d2d6bb0 1213->1215 1214->1212 1214->1216 1215->1166 1234 6d2860b4-6d2860bc 1216->1234 1235 6d286097-6d2860af call 6d292a70 1216->1235 1217->1215 1237 6d286abf-6d286b05 call 6d27a4e0 1234->1237 1238 6d2860c2-6d286130 call 6d2dc59a call 6d2a6bb0 call 6d2cfb70 1234->1238 1235->1234 1243 6d286b14-6d286b30 call 6d27a700 1237->1243 1244 6d286b07-6d286b12 call 6d2dc380 1237->1244 1254 6d286140-6d28615e 1238->1254 1253 6d286b55-6d286b5e 1243->1253 1244->1243 1255 6d286b60-6d286b8b call 6d28ed90 1253->1255 1256 6d286b32-6d286b54 call 6d2743c0 1253->1256 1258 6d286169-6d2861ec 1254->1258 1259 6d286160-6d286163 1254->1259 1269 6d286b9b-6d286bf2 call 6d2b8b70 * 2 1255->1269 1270 6d286b8d-6d286b96 call 6d2dae80 1255->1270 1256->1253 1263 6d2861f2-6d2861fc 1258->1263 1264 6d286c14-6d286c19 call 6d2dc400 1258->1264 1259->1258 1262 6d286216-6d28621c 1259->1262 1271 6d286c0a-6d286c0f call 6d2dc400 1262->1271 1272 6d286222-6d2863bc call 6d2d7ff0 call 6d2a6bb0 call 6d2a7410 call 6d2a7100 call 6d2a7410 * 3 call 6d2a7230 call 6d2a7410 call 6d2a6c10 call 6d2dc59a 1262->1272 1267 6d2861fe-6d28620a 1263->1267 1268 6d28620f-6d286211 1263->1268 1264->1217 1274 6d286132-6d28613e 1267->1274 1268->1274 1285 6d286c03-6d286c09 1269->1285 1286 6d286bf4-6d286bfa 1269->1286 1270->1269 1271->1264 1305 6d28645e-6d286461 1272->1305 1274->1254 1286->1285 1287 6d286bfc 1286->1287 1287->1285 1306 6d2864e7-6d286690 call 6d2a6bb0 call 6d2a7410 call 6d2a6c10 call 6d2e0950 * 4 call 6d2dc596 1305->1306 1307 6d286467-6d286484 1305->1307 1342 6d286717-6d28671a 1306->1342 1309 6d28648a-6d2864e2 call 6d2a6bb0 call 6d2a7410 call 6d2a6c10 1307->1309 1310 6d2863c1-6d286457 call 6d2880a0 call 6d2d7ff0 call 6d2a6bb0 call 6d2a7410 call 6d2a6c10 1307->1310 1309->1310 1310->1305 1343 6d2867c0-6d286a5a call 6d2e0ad0 * 2 call 6d2a6bb0 call 6d2a7410 call 6d2a7100 call 6d2a7410 call 6d2a7100 call 6d2a7410 call 6d2a7100 call 6d2a7410 call 6d2a7100 call 6d2a7410 call 6d2a7100 call 6d2a7410 call 6d2a7100 call 6d2a7410 call 6d2a7230 call 6d2a7410 call 6d2a6c10 1342->1343 1344 6d286720-6d286744 1342->1344 1410 6d286a7c-6d286aad call 6d2a6bb0 call 6d2a6db0 call 6d2a6c10 1343->1410 1411 6d286a5c-6d286a77 call 6d2a6bb0 call 6d2a7410 call 6d2a6c10 1343->1411 1345 6d28674b-6d286779 call 6d2a6bb0 call 6d2a7410 call 6d2a6c10 1344->1345 1346 6d286746-6d286749 1344->1346 1353 6d286695-6d286716 call 6d2880a0 call 6d2d7ff0 call 6d2a6bb0 call 6d2a7410 call 6d2a6c10 1345->1353 1346->1345 1348 6d28677e-6d286780 1346->1348 1348->1353 1354 6d286786-6d2867bb call 6d2a6bb0 call 6d2a7410 call 6d2a6c10 1348->1354 1353->1342 1354->1353 1410->1237 1423 6d286aaf-6d286aba call 6d27a700 1410->1423 1411->1410 1423->1237
    Strings
    • gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6D286C4A
    • MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 6D286A06
    • MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=, xrefs: 6D28699C
    • , xrefs: 6D28606A
    • ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE, xrefs: 6D2864EC
    • gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma, xrefs: 6D28629A
    • ., xrefs: 6D2861FE
    • @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12, xrefs: 6D2862C7
    • gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= , xrefs: 6D285ABA
    • ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid, xrefs: 6D2868DC
    • non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo, xrefs: 6D286C1E
    • +:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08, xrefs: 6D2864A4, 6D28678B
    • failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 6D286C34
    • 5, xrefs: 6D286C27
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=$ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid$+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08$.$5$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= $non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo
    • API String ID: 0-2575422049
    • Opcode ID: 4466fcd3d86364c67080a959b5d1af5ca3d116b542d8c01e537c9107b9d5aea3
    • Instruction ID: cc02d226a51e7979e9115f6e5dbcaf684da2062df3b7ccf2c42ac0fe2c22fad5
    • Opcode Fuzzy Hash: 4466fcd3d86364c67080a959b5d1af5ca3d116b542d8c01e537c9107b9d5aea3
    • Instruction Fuzzy Hash: 5AB215745487499FC764DF28C190B9ABBF5FF89305F06892ED98987351DB30A848CF92
    Function 6D2993F0 Relevance: 16.9, Strings: 13, Instructions: 643COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1520 6d2993f0-6d299402 1521 6d299408-6d299450 1520->1521 1522 6d299f94-6d299f99 call 6d2daf70 1520->1522 1524 6d299476-6d29947d 1521->1524 1522->1520 1526 6d29957b-6d299581 1524->1526 1527 6d299483-6d2994ed 1524->1527 1530 6d2997f9-6d299800 call 6d2dc410 1526->1530 1531 6d299587-6d2995b3 call 6d29c5d0 1526->1531 1528 6d299f8c-6d299f93 call 6d2dc440 1527->1528 1529 6d2994f3-6d2994f5 1527->1529 1528->1522 1533 6d2994fb-6d299545 1529->1533 1534 6d299f85-6d299f87 call 6d2dc460 1529->1534 1539 6d299805-6d29980c 1530->1539 1543 6d299621-6d299631 1531->1543 1544 6d2995b5-6d299620 call 6d299360 1531->1544 1540 6d299552-6d299556 1533->1540 1541 6d299547-6d299550 1533->1541 1534->1528 1545 6d299810-6d299812 1539->1545 1546 6d299558-6d299576 1540->1546 1541->1546 1547 6d2997f4 call 6d2dc400 1543->1547 1548 6d299637-6d299648 1543->1548 1549 6d299818 1545->1549 1550 6d2999fd 1545->1550 1546->1545 1547->1530 1554 6d29964e-6d299653 1548->1554 1555 6d2997e1-6d2997e9 1548->1555 1556 6d299f7e-6d299f80 call 6d2dc400 1549->1556 1557 6d29981e-6d29984c 1549->1557 1553 6d299a01-6d299a0a 1550->1553 1559 6d299a10-6d299a16 1553->1559 1560 6d299d72-6d299de0 call 6d299360 1553->1560 1561 6d299659-6d299666 1554->1561 1562 6d2997c6-6d2997d6 1554->1562 1555->1547 1556->1534 1564 6d29984e-6d299854 1557->1564 1565 6d299856-6d2998af 1557->1565 1567 6d299a1c-6d299a26 1559->1567 1568 6d299d53-6d299d71 1559->1568 1581 6d299ee5-6d299eeb 1560->1581 1569 6d2997b8-6d2997c1 1561->1569 1570 6d29966c-6d2997b3 call 6d2a6bb0 call 6d2a7410 call 6d2a7230 call 6d2a7410 call 6d2a7230 call 6d2a7410 call 6d2a7100 call 6d2a7410 call 6d2a7100 call 6d2a7410 call 6d2a7100 call 6d2a7410 call 6d2a6c10 call 6d2a6bb0 call 6d2a7410 call 6d2a7100 call 6d2a6db0 call 6d2a6c10 call 6d2d6bb0 1561->1570 1562->1555 1564->1539 1577 6d2998bf-6d2998c8 1565->1577 1578 6d2998b1-6d2998bd 1565->1578 1573 6d299a28-6d299a3f 1567->1573 1574 6d299a41-6d299a55 1567->1574 1570->1569 1579 6d299a5c 1573->1579 1574->1579 1584 6d2998ce-6d2998e0 1577->1584 1578->1584 1585 6d299a5e-6d299a6f 1579->1585 1586 6d299a71-6d299a91 1579->1586 1582 6d299f68-6d299f79 call 6d2d6bb0 1581->1582 1583 6d299eed-6d299f02 1581->1583 1582->1556 1588 6d299f0b-6d299f1d 1583->1588 1589 6d299f04-6d299f09 1583->1589 1590 6d2999c8-6d2999ca 1584->1590 1591 6d2998e6-6d2998eb 1584->1591 1593 6d299a98 1585->1593 1586->1593 1595 6d299f1f 1588->1595 1589->1595 1596 6d2999cc-6d2999e0 1590->1596 1597 6d2999e2 1590->1597 1598 6d2998ed-6d2998f2 1591->1598 1599 6d2998f4-6d299908 1591->1599 1600 6d299a9a-6d299a9f 1593->1600 1601 6d299aa1-6d299aa4 1593->1601 1606 6d299f28-6d299f40 1595->1606 1607 6d299f21-6d299f26 1595->1607 1605 6d2999e6-6d2999fb 1596->1605 1597->1605 1608 6d29990f-6d299911 1598->1608 1599->1608 1603 6d299aaa-6d299d4e call 6d2a6bb0 call 6d2a7410 call 6d2a7230 call 6d2a7410 call 6d2a7230 call 6d2a7410 call 6d2a7100 call 6d2a7410 call 6d2a7100 call 6d2a7410 call 6d2a7100 call 6d2a6db0 call 6d2a6c10 call 6d2a6bb0 call 6d2a7410 call 6d2a7230 call 6d2a7410 call 6d2a7100 call 6d2a7410 call 6d2a7230 call 6d2a6db0 call 6d2a6c10 call 6d2a6bb0 call 6d2a7410 call 6d2a72a0 call 6d2a7410 call 6d2a7230 call 6d2a6db0 call 6d2a6c10 call 6d2a6bb0 call 6d2a7410 call 6d2a7100 call 6d2a7410 call 6d2a7100 call 6d2a6db0 call 6d2a6c10 1600->1603 1601->1603 1603->1581 1605->1553 1611 6d299f42-6d299f4e 1606->1611 1607->1611 1612 6d299452-6d29946f 1608->1612 1613 6d299917-6d299919 1608->1613 1616 6d299f5a-6d299f5d 1611->1616 1617 6d299f50-6d299f55 1611->1617 1612->1524 1618 6d29991b-6d299920 1613->1618 1619 6d299922-6d29993d 1613->1619 1616->1582 1622 6d29994b 1618->1622 1623 6d29993f-6d299944 1619->1623 1624 6d2999a7-6d2999c3 1619->1624 1627 6d29994d-6d29995c 1622->1627 1628 6d29995e-6d29996d 1622->1628 1623->1622 1624->1539 1631 6d299970-6d2999a2 1627->1631 1628->1631 1631->1539
    Strings
    • runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard , xrefs: 6D299C5B
    • ][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C, xrefs: 6D2996A4, 6D299AED
    • ] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt, xrefs: 6D299B1A
    • , levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:, xrefs: 6D299D15
    • , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST, xrefs: 6D2996F7, 6D299721, 6D299B44, 6D299B6E
    • , j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu, xrefs: 6D299C04
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D2997A2, 6D299F68
    • runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D29967A, 6D299AB3
    • , npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar, xrefs: 6D299BD7
    • runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer, xrefs: 6D29976B
    • runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6D299CE8
    • , i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc, xrefs: 6D299C88
    • ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc, xrefs: 6D2996CD
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu$, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:$, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar$] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt$] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc$][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-566501290
    • Opcode ID: 9e9d86d7cf668aa61fc39836a68a28929429b29b7558b215725df36e361739e1
    • Instruction ID: ea44bd3451793737e5d1ba0985436b4c238c5489fd3310ef32b6c92200a5e0e2
    • Opcode Fuzzy Hash: 9e9d86d7cf668aa61fc39836a68a28929429b29b7558b215725df36e361739e1
    • Instruction Fuzzy Hash: CD523775A9C7098FD320DF69C48075ABBF5FF89304F05892DEA989B344DB74A844CB92
    Function 6D2A1570 Relevance: 16.4, Strings: 13, Instructions: 150COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1880 6d2a1570-6d2a157e 1881 6d2a181e-6d2a1823 call 6d2daf70 1880->1881 1882 6d2a1584-6d2a15b6 call 6d2a32a0 1880->1882 1881->1880 1887 6d2a15bc-6d2a15ea call 6d2a1470 1882->1887 1888 6d2a1807-6d2a181d call 6d2d6bb0 1882->1888 1893 6d2a15fc-6d2a1631 call 6d2a32a0 1887->1893 1894 6d2a15ec-6d2a15f9 call 6d2dc390 1887->1894 1888->1881 1899 6d2a17f1-6d2a1802 call 6d2d6bb0 1893->1899 1900 6d2a1637-6d2a1669 call 6d2a1470 1893->1900 1894->1893 1899->1888 1904 6d2a167b-6d2a1683 1900->1904 1905 6d2a166b-6d2a1678 call 6d2dc390 1900->1905 1907 6d2a1689-6d2a16bb call 6d2a1470 1904->1907 1908 6d2a172d-6d2a175f call 6d2a1470 1904->1908 1905->1904 1916 6d2a16cd-6d2a16d5 1907->1916 1917 6d2a16bd-6d2a16ca call 6d2dc390 1907->1917 1914 6d2a1771-6d2a17a9 call 6d2a1470 1908->1914 1915 6d2a1761-6d2a176e call 6d2dc390 1908->1915 1929 6d2a17bb-6d2a17c4 1914->1929 1930 6d2a17ab-6d2a17b8 call 6d2dc390 1914->1930 1915->1914 1921 6d2a17db-6d2a17ec call 6d2d6bb0 1916->1921 1922 6d2a16db-6d2a170d call 6d2a1470 1916->1922 1917->1916 1921->1899 1932 6d2a171f-6d2a1727 1922->1932 1933 6d2a170f-6d2a171c call 6d2dc390 1922->1933 1930->1929 1932->1908 1936 6d2a17c5-6d2a17d6 call 6d2d6bb0 1932->1936 1933->1932 1936->1921
    Strings
    • NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no , xrefs: 6D2A17C5
    • NtCancelWaitCompletionPacket, xrefs: 6D2A16E2
    • ntdll.dll, xrefs: 6D2A1608
    • , xrefs: 6D2A16A2
    • NtAssociateWaitCompletionPacket, xrefs: 6D2A1690
    • P, xrefs: 6D2A17E4
    • bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible , xrefs: 6D2A1807
    • RtlGetVersion, xrefs: 6D2A177E
    • , xrefs: 6D2A169A
    • NtCreateWaitCompletionPacket, xrefs: 6D2A163E
    • bcryptprimitives.dll, xrefs: 6D2A158D
    • ProcessPrng, xrefs: 6D2A15BF
    • RtlGetCurrentPeb, xrefs: 6D2A1734
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $NtAssociateWaitCompletionPacket$NtCancelWaitCompletionPacket$NtCreateWaitCompletionPacket$NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no $P$ProcessPrng$RtlGetCurrentPeb$RtlGetVersion$bcryptprimitives.dll$bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible $ntdll.dll
    • API String ID: 0-2332038095
    • Opcode ID: 91ce902341cc15498880fb23b7ec36e0691a3fbcfc1a16f19d7348e5107c4576
    • Instruction ID: 75335089d89d5699d19c26ee0f37c42b9dd94140987fe8675eb34e93d9db9d22
    • Opcode Fuzzy Hash: 91ce902341cc15498880fb23b7ec36e0691a3fbcfc1a16f19d7348e5107c4576
    • Instruction Fuzzy Hash: 9471E1B8549306EFDB44DF28D18076ABBF4FB8A718F05882DE59987340DB349488CF52
    Function 6D293400 Relevance: 14.6, Strings: 11, Instructions: 876COMMON
    Download Yara Rule
    Strings
    • swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D293C65
    • mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D293CE2, 6D294156
    • , xrefs: 6D293E12
    • sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket, xrefs: 6D293E09
    • sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto, xrefs: 6D293C4F
    • previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 6D293DAB
    • mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea, xrefs: 6D29418A
    • mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 6D2941A9
    • nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo, xrefs: 6D293D81
    • mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 6D293D16
    • sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket, xrefs: 6D293CB8, 6D29412C
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo$ previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$ sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-893999930
    • Opcode ID: aa6fee57ae8983bb7028f1e6acdcaea78a4b0b585c0e6ad315f9bea3bc501a8e
    • Instruction ID: 00661494f4e211c1ddc476428a3ffa108bfda03d39dcc87edfeb297150cc420a
    • Opcode Fuzzy Hash: aa6fee57ae8983bb7028f1e6acdcaea78a4b0b585c0e6ad315f9bea3bc501a8e
    • Instruction Fuzzy Hash: 898236B458C7999FC351DF29C090B6ABBF1BF89708F41886DE9D88B391D7309845CB92
    Function 6D2A2A90 Relevance: 14.0, Strings: 11, Instructions: 253COMMON
    Download Yara Rule
    Strings
    • CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet, xrefs: 6D2A2E7B, 6D2A2ED6
    • %, xrefs: 6D2A2F3A
    • bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi, xrefs: 6D2A2D6E
    • runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr, xrefs: 6D2A2DEC
    • NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor, xrefs: 6D2A2E20
    • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi, xrefs: 6D2A2EFD
    • runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 6D2A2D95
    • VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec, xrefs: 6D2A2DC9
    • runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b, xrefs: 6D2A2F31
    • runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte, xrefs: 6D2A2E47, 6D2A2EA2
    • ,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12, xrefs: 6D2A2D29
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: %$,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet$NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte$runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
    • API String ID: 0-2809656213
    • Opcode ID: b47bd5524336bb0aaa42411fa59fc319819cefc6ed5219c4dfa5ac0802c802b3
    • Instruction ID: 6b8d9cbc01c11125a5a80c2c89175cdb971fae77db9a771d5b94336bbc594dcf
    • Opcode Fuzzy Hash: b47bd5524336bb0aaa42411fa59fc319819cefc6ed5219c4dfa5ac0802c802b3
    • Instruction Fuzzy Hash: 76C1FFB454970A9FD300EF68C19475ABBF4FF89708F06896DE6988B340D7759848CFA2
    Function 6D2713E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 73f62054e84efec60419fa1c3a04bae475a42371a99df113aeb3adfd4bd72067
    • Instruction ID: 3a7b0812b4345ecdab7b18619d6134b174116169c5f4f84770f4fd39d1521661
    • Opcode Fuzzy Hash: 73f62054e84efec60419fa1c3a04bae475a42371a99df113aeb3adfd4bd72067
    • Instruction Fuzzy Hash: A00171B59192069BC720BF79E91A31EBFF8AF46289F01542ED9C84B244D7308444CBA3
    Function 6D2D344F Relevance: 12.0, Strings: 9, Instructions: 757COMMON
    Download Yara Rule
    Strings
    • mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential, xrefs: 6D2D3E67
    • 3-, xrefs: 6D2D3E78
    • 2, xrefs: 6D2D3E70
    • malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo, xrefs: 6D2D3E51
    • !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 6D2D381F
    • malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty, xrefs: 6D2D3E3B
    • 4, xrefs: 6D2D3E2E
    • p, xrefs: 6D2D3E7E
    • mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 6D2D3E25
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$2$4$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo$malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $3-$p
    • API String ID: 0-234616912
    • Opcode ID: 7ec8a8a56b3b294d552c37d72b63c54416083b024ff6d38d30727599efce28c7
    • Instruction ID: 0b53c93e43cc5c4215815e74e05a6120c8b1f3ed0d21a62f21144e60646a1097
    • Opcode Fuzzy Hash: 7ec8a8a56b3b294d552c37d72b63c54416083b024ff6d38d30727599efce28c7
    • Instruction Fuzzy Hash: C462CB7164834A8FC354CF29C090B6ABBF1BF89714F15896DE9A88B392D735D845CF82
    Function 6D2ED010 Relevance: 10.8, Strings: 8, Instructions: 756COMMON
    Download Yara Rule
    Strings
    • $, xrefs: 6D2ED78D
    • !, xrefs: 6D2ED20C
    • v, xrefs: 6D2ED145
    • invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p, xrefs: 6D2ED095, 6D2ED188, 6D2ED258, 6D2ED814, 6D2ED936, 6D2ED9C7, 6D2EDA58, 6D2EDAED
    • pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps, xrefs: 6D2ED8A5
    • invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa, xrefs: 6D2ED783
    • y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KS, xrefs: 6D2ED2E5
    • n, xrefs: 6D2ED2D1
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$$$invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa$invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p$n$pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps$v$y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KS
    • API String ID: 0-3686076665
    • Opcode ID: 4ed5b8ca552209ab90e483d6d29c069b9630154fcbfb116cc1d8d16568a0bbb5
    • Instruction ID: 31d30313ace062688ddafd6c836904cac3bc86c4214f67e100744d69ea897c5a
    • Opcode Fuzzy Hash: 4ed5b8ca552209ab90e483d6d29c069b9630154fcbfb116cc1d8d16568a0bbb5
    • Instruction Fuzzy Hash: 327216B494834A8FC324DF29C18075AFBF1BBC9744F95892DE9A887341DB74A944CF92
    Function 6D2F2680 Relevance: 10.5, Strings: 7, Instructions: 1779COMMON
    Download Yara Rule
    Strings
    • %!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWSleepyMousebroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernameg, xrefs: 6D2F3CEA, 6D2F3FB5
    • 0, xrefs: 6D2F31D1
    • 0, xrefs: 6D2F3387
    • )]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+, xrefs: 6D2F3D04, 6D2F3FCF, 6D2F4113, 6D2F43F5
    • 0, xrefs: 6D2F3464
    • 0, xrefs: 6D2F3270
    • %!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutinecopystac, xrefs: 6D2F40F9, 6D2F43DB
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: %!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutinecopystac$%!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWSleepyMousebroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernameg$)]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+$0$0$0$0
    • API String ID: 0-1753910299
    • Opcode ID: 573958af9f9caf308826454e64a25d91ba752e00f702c677073f641cc6d546c2
    • Instruction ID: f4efa399f577f8c869653c29641517ed1f6856baecc7ab151085beb893e12c08
    • Opcode Fuzzy Hash: 573958af9f9caf308826454e64a25d91ba752e00f702c677073f641cc6d546c2
    • Instruction Fuzzy Hash: 5303D1B5A893868FC325CF18C09069EFBE1BFC9300F158D2EE99997351D770A945CB92
    Function 6D2C5FF0 Relevance: 10.5, Strings: 8, Instructions: 512COMMON
    Download Yara Rule
    Strings
    • pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace, xrefs: 6D2C66B3
    • (1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID, xrefs: 6D2C6440
    • sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us, xrefs: 6D2C6686
    • , xrefs: 6D2C6159
    • :(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I, xrefs: 6D2C651D
    • , xrefs: 6D2C6151
    • fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit, xrefs: 6D2C6659
    • non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard , xrefs: 6D2C67E5
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $ fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit$ pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace$ sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us$(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID$:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I$non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard
    • API String ID: 0-3830612415
    • Opcode ID: 49b106c2cbcb3aa3d71aaeb0294d18dd6da47ab0d2f55195091c9fe8de6121b2
    • Instruction ID: 98e789194e7fe97fea9c70c9ede6c6f2c0e4095ca50561bb272d94d9b39f4e98
    • Opcode Fuzzy Hash: 49b106c2cbcb3aa3d71aaeb0294d18dd6da47ab0d2f55195091c9fe8de6121b2
    • Instruction Fuzzy Hash: 8332D37468C7858FC365DF29C180BAABBE1AF89705F058D2EE9C897351D7309849CB93
    Function 6D2A1A70 Relevance: 8.9, Strings: 7, Instructions: 116COMMON
    Download Yara Rule
    Strings
    • timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 6D2A1C0D
    • runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta, xrefs: 6D2A1BD9
    • winmm.dll, xrefs: 6D2A1AF3
    • &, xrefs: 6D2A1C3D
    • timeEndPeriod, xrefs: 6D2A1B73
    • runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co, xrefs: 6D2A1C34
    • timeBeginPeriod, xrefs: 6D2A1B29
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: &$runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta$runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co$timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$timeBeginPeriod$timeEndPeriod$winmm.dll
    • API String ID: 0-424793872
    • Opcode ID: 4702793ce5f629fccadaee898392354ad65048e3b7e6dafd3ce91a75e3ae1809
    • Instruction ID: fac4f8b0fb2fc8817290bb503eac2cd27eb2e99956efa49f05c5d95156ba0887
    • Opcode Fuzzy Hash: 4702793ce5f629fccadaee898392354ad65048e3b7e6dafd3ce91a75e3ae1809
    • Instruction Fuzzy Hash: F351F4B454930AAFD744EF68C09472ABBF4FF99309F05882DE59987340DB709448CF92
    Function 6D2ACF90 Relevance: 8.6, Strings: 6, Instructions: 1093COMMON
    Download Yara Rule
    Strings
    • global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz, xrefs: 6D2AE093
    • !, xrefs: 6D2AE0DE
    • findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina, xrefs: 6D2AE0BF
    • findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a, xrefs: 6D2AE0A9
    • findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of r, xrefs: 6D2AE0D5
    • findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi, xrefs: 6D2AE0EB
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz
    • API String ID: 0-3082151594
    • Opcode ID: ac20b134f137878601d691ed86bbf5919619bf5a2b5f1ef8a91cff2b989f5fd8
    • Instruction ID: 2a8d176be013b7227b7ae2c341dba2cd86e85cfae1f3125a0486c583dfda20b6
    • Opcode Fuzzy Hash: ac20b134f137878601d691ed86bbf5919619bf5a2b5f1ef8a91cff2b989f5fd8
    • Instruction Fuzzy Hash: B3A2DE7464D34A9FD724DF69C090B6ABBF4BF8A744F05882DE9D887340EB359844CB52
    Function 6D2A11F0 Relevance: 7.6, Strings: 6, Instructions: 133COMMON
    Download Yara Rule
    Strings
    • d, xrefs: 6D2A1276
    • runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar, xrefs: 6D2A1369
    • runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not , xrefs: 6D2A1417
    • runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe, xrefs: 6D2A13C4
    • runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy, xrefs: 6D2A139D, 6D2A13F8, 6D2A144B
    • 5, xrefs: 6D2A1420
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 5$d$runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar$runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not $runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe$runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy
    • API String ID: 0-2414937731
    • Opcode ID: 12c000e008ae2af5d44247d64c18a83af1c8f518c50d5927692269f4bc1cc49b
    • Instruction ID: 291a583a7f3800bc2d8b8a47c0f466e0495341bda51fe3a8341c4bf39a4f33b3
    • Opcode Fuzzy Hash: 12c000e008ae2af5d44247d64c18a83af1c8f518c50d5927692269f4bc1cc49b
    • Instruction Fuzzy Hash: 1E51CDB454C70A9FD740EF68C19471ABBF4EF88308F06882DEA9887350D7749948CBA2
    Function 6D305CF0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessage
    • String ID: Erro: %s
    • API String ID: 1365068426-2412703935
    • Opcode ID: 9fbb05cf4b61adc0022719aa98549389080a27e5d72a506cb2dd11d095629d56
    • Instruction ID: a602e3c277560b056532a28f71bc0655f214f095108f443e7747747bc5e8fd12
    • Opcode Fuzzy Hash: 9fbb05cf4b61adc0022719aa98549389080a27e5d72a506cb2dd11d095629d56
    • Instruction Fuzzy Hash: 3B014DB0408301AFD700AF64C58931EBFF4BB89749F41891DE8D89A294E7798548CF93
    Function 6D291440 Relevance: 5.5, Strings: 4, Instructions: 494COMMON
    Download Yara Rule
    Strings
    • runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti, xrefs: 6D29198C, 6D2919DB
    • min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce, xrefs: 6D291A0F
    • min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW, xrefs: 6D2919C0
    • !, xrefs: 6D291A18
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce$min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW$runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti
    • API String ID: 0-967014423
    • Opcode ID: 439e168a4458f26297ff999bf89455c41922f910773a56f63b58ebfa9ccf68c2
    • Instruction ID: 07ccab0e74de9af4a8b9d081518e30e947a27eedde4b408ea3d37d9e7e998efe
    • Opcode Fuzzy Hash: 439e168a4458f26297ff999bf89455c41922f910773a56f63b58ebfa9ccf68c2
    • Instruction Fuzzy Hash: 7EF1F43668932A4FD306CE6AC4C065EB7E6FBC8308F15893CD9949B384EB71D845C6C2
    Function 6D2AA320 Relevance: 5.4, Strings: 4, Instructions: 352COMMON
    Download Yara Rule
    Strings
    • stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met, xrefs: 6D2AA7EB
    • stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl, xrefs: 6D2AA690
    • stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many, xrefs: 6D2AA7B0
    • stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a , xrefs: 6D2AA843
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met$stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a $stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many$stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl
    • API String ID: 0-2039697367
    • Opcode ID: c613a892929184363b7ef3c6fb8362dbefe3d4aeb2aa3899f57b04a6893131a9
    • Instruction ID: 04afff8e1f1206142cdb2af4418360aa1f02eb050e63723872de80836a34a6f2
    • Opcode Fuzzy Hash: c613a892929184363b7ef3c6fb8362dbefe3d4aeb2aa3899f57b04a6893131a9
    • Instruction Fuzzy Hash: EEF1FE74A4C3469FC348CF68C190A6ABBF1BF89704F45896EE99887351DB70E945CF42
    Function 6D307B10 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: .$@$gfff$gfff
    • API String ID: 0-2633265772
    • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
    • Instruction ID: c55cecb127dd55a37ccbd9ec43d84dae83fdc2be0c3e4c81e67de65cfc57f0ee
    • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
    • Instruction Fuzzy Hash: 67D1BFB2A093068BD704CE29C48435BBBE2BF85354F08C92DE9988B355E771DD49CBD2
    Function 6D304FE0 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: a559b15c8f7b7c13edde96725cb639d9b4e34bfedf4119f313cbc9bb9626eccf
    • Instruction ID: fba3690015fc09ae88f1835bc2c9726dde738d9c0d2c582191277c0963c6e3a8
    • Opcode Fuzzy Hash: a559b15c8f7b7c13edde96725cb639d9b4e34bfedf4119f313cbc9bb9626eccf
    • Instruction Fuzzy Hash: 8D21E2B0A093019BDB00EF64C4C872ABBF4BF84304F55C96DE8898B249D736D885CF92
    Function 6D2A1830 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$'$PowerRegisterSuspendResumeNotification$powrprof.dll
    • API String ID: 0-4026319467
    • Opcode ID: 8af75385e33b361381e5b89a0b2a52dbf91417a6f831615b83bc5dd5097a2bb4
    • Instruction ID: cbf84850f434333119e37afe3c6c1cc9db95e6caabb63efc316d2b40f5105eae
    • Opcode Fuzzy Hash: 8af75385e33b361381e5b89a0b2a52dbf91417a6f831615b83bc5dd5097a2bb4
    • Instruction Fuzzy Hash: 6021CEB89083469FD704CF25C090B5ABBF0FB89318F45882EE49987340E7759A88CF83
    Function 6D2B6470 Relevance: 4.2, Strings: 3, Instructions: 451COMMON
    Download Yara Rule
    Strings
    • runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add, xrefs: 6D2B69D7
    • <, xrefs: 6D2B6A0D
    • runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern, xrefs: 6D2B6A04
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: <$runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add$runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern
    • API String ID: 0-450027851
    • Opcode ID: 5b284cf2e4ef7968e672c712a8b612506fca816171ddd71d8fe65fd734540607
    • Instruction ID: c75c47b3f064d5bbcfbad6c19568e001c115d36ea4bc22bf078b0763ddb797e9
    • Opcode Fuzzy Hash: 5b284cf2e4ef7968e672c712a8b612506fca816171ddd71d8fe65fd734540607
    • Instruction Fuzzy Hash: D6025C70A4C70A8FC714DF69C1D061ABBE1BFC8749F15892DE9998B350DBB1E845CB82
    Function 6D2A6010 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
    Download Yara Rule
    Strings
    • ', xrefs: 6D2A64AC
    • invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro, xrefs: 6D2A648D
    • suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support, xrefs: 6D2A64A3
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support
    • API String ID: 0-3278438963
    • Opcode ID: 109c21d8c7f5df8e113a5008e6b3cfa1041810b20c7d75907f6b2aa5d6e0bf29
    • Instruction ID: ac6596276f3a2ad191bae6807ef7a9cef08b0e0ee70b41e1de78037442c3d9ce
    • Opcode Fuzzy Hash: 109c21d8c7f5df8e113a5008e6b3cfa1041810b20c7d75907f6b2aa5d6e0bf29
    • Instruction Fuzzy Hash: 7BD12F7468C74A8FC705CF29C090A2ABBF1EF8A705F49886DE9C487351D735E944CB82
    Function 6D296630 Relevance: 3.0, Strings: 2, Instructions: 499COMMON
    Download Yara Rule
    Strings
    • grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 6D296D4E
    • +, xrefs: 6D296D57
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: +$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
    • API String ID: 0-3347251187
    • Opcode ID: 24b48b4717689a3f461bdb5934eaf42de47d4385ed8d428596d4aba6ba8439b1
    • Instruction ID: 026e92235e795e4b4c5bc49e0759e0c099bc87674bf6575afb724c33a67a9af8
    • Opcode Fuzzy Hash: 24b48b4717689a3f461bdb5934eaf42de47d4385ed8d428596d4aba6ba8439b1
    • Instruction Fuzzy Hash: 1422FF7464C34A9FD354DF2AC190A6ABBF1BF89745F01892DE9D88B350DB35E844CB82
    Function 6D29B2D0 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
    Download Yara Rule
    Strings
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D29B60F
    • @, xrefs: 6D29B4FB
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
    • API String ID: 0-1191861649
    • Opcode ID: a809ca77c4ecda65e1f95094a003ec1915cc044cb223153b2ff831ad73235495
    • Instruction ID: e3342870d3f1674f4efc3c68332a79118c7709a7146c55eb03a52dcabc9832be
    • Opcode Fuzzy Hash: a809ca77c4ecda65e1f95094a003ec1915cc044cb223153b2ff831ad73235495
    • Instruction Fuzzy Hash: A0A1C175A5870A8FD704CF19C8C065AB7E1FFC8314F458A2DE9999B341DB34E94ACB82
    Function 6D2DA992 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $@
    • API String ID: 0-1077428164
    • Opcode ID: 423ac0189a732759c61c532e0a40a09e945fcb253207c7d3ec5886ae3acc5dda
    • Instruction ID: f8d124c6266be12634ab6148e50d80f1633c09c73739e1916c43cf7c5b49b13e
    • Opcode Fuzzy Hash: 423ac0189a732759c61c532e0a40a09e945fcb253207c7d3ec5886ae3acc5dda
    • Instruction Fuzzy Hash: 8F515114C1CF9B65E6330ABDC442A667B24AEB3140B01D76FFDD6B54B2E7126940BE22
    Function 6D28CEC0 Relevance: 2.6, Strings: 2, Instructions: 88COMMON
    Download Yara Rule
    Strings
    • gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu, xrefs: 6D28CFA1
    • ,, xrefs: 6D28CFAA
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu
    • API String ID: 0-27675022
    • Opcode ID: dd6a991c6928cefe0e64ff715f596f997b633bbf68ecebfb8d77e30084a57010
    • Instruction ID: 4b984a7350ea42cb658dbfab93356a58689ecba0ebbfd8757996dd50a7ba4b0b
    • Opcode Fuzzy Hash: dd6a991c6928cefe0e64ff715f596f997b633bbf68ecebfb8d77e30084a57010
    • Instruction Fuzzy Hash: 9B319375A493568FD305DF14C490B69B7F1BB86608F4981BDDD884F383CB31A84ACB81
    Function 6D2F5AF0 Relevance: 1.9, Strings: 1, Instructions: 607COMMON
    Download Yara Rule
    Strings
    • ,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePoint, xrefs: 6D2F5C8E
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePoint
    • API String ID: 0-1364986362
    • Opcode ID: bb76230ab401984173e99f7e221db8a75b1eea32c2c3042a6577f30564b583c8
    • Instruction ID: b2aca56922bbe4280dd06654e18b8b04b0ac00f27fca062b141a19c7cca4f256
    • Opcode Fuzzy Hash: bb76230ab401984173e99f7e221db8a75b1eea32c2c3042a6577f30564b583c8
    • Instruction Fuzzy Hash: F25226B19483898FD334CF18C59079EFBE1ABC9304F45892DDAD89B381E7B599458B82
    Function 6D2C8690 Relevance: 1.8, Strings: 1, Instructions: 543COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 4
    • API String ID: 0-4088798008
    • Opcode ID: b448be06e68ccc87da74aaf15f49ad3b5220e1e593ae44c62d141b7cc3615ee1
    • Instruction ID: b1cba9804fad292713aa86eb533dbb91878533333a89999596ac8deac882a4e5
    • Opcode Fuzzy Hash: b448be06e68ccc87da74aaf15f49ad3b5220e1e593ae44c62d141b7cc3615ee1
    • Instruction Fuzzy Hash: 3222B07568D34A8BC764DE18C4C4A6EF7E1AFC9304F14CA2DD9998B395DB30A905CB83
    Function 6D280AF0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
    Download Yara Rule
    Strings
    • span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor, xrefs: 6D280D52
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor
    • API String ID: 0-1712010102
    • Opcode ID: 357dac7e6004e5c5ac81153e469a2c48f780137aa77bff028e41c1d632cc3d7e
    • Instruction ID: 622e00001f7d05b89bba1e7212924efd8b24903ecef79ff4f246c43cd68e4efc
    • Opcode Fuzzy Hash: 357dac7e6004e5c5ac81153e469a2c48f780137aa77bff028e41c1d632cc3d7e
    • Instruction Fuzzy Hash: C0D1487464D34A9FC744DF29C180A2ABBE0BF89748F01896DF8D987382E735D949CB52
    Function 6D29D040 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
    Download Yara Rule
    Strings
    • runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin, xrefs: 6D29D3CB
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin
    • API String ID: 0-429552053
    • Opcode ID: 7df0136fc0822c6579c00954ea04b737eac841929bfbd8162156bbc22d14571d
    • Instruction ID: a58ae0454a27899d1f896c52d24e1c227d66ea5f4df5bb904fa3e59fa0491b31
    • Opcode Fuzzy Hash: 7df0136fc0822c6579c00954ea04b737eac841929bfbd8162156bbc22d14571d
    • Instruction Fuzzy Hash: 0BB1E274A8830A9FC704DF69C08092AB7F1BBC9744F82882DE9958B351E734E945DF82
    Function 6D2F96C0 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ;
    • API String ID: 0-1661535913
    • Opcode ID: 3b4c3f81b18c1513001c76d3470dca7e2b86b9411fb81430004512e70439d446
    • Instruction ID: 7164d5ac4c63deb7bbad7b1c6aef978a7e98aa47703aa2a053561fddce08db14
    • Opcode Fuzzy Hash: 3b4c3f81b18c1513001c76d3470dca7e2b86b9411fb81430004512e70439d446
    • Instruction Fuzzy Hash: CAA16E71B483054FC70CDE6DD99131EFAE6ABC8304F05CA3DE588CB7A4E63499098B86
    Function 6D29A360 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: 5b749de10f029ae178c73ab9e397eaf5a0d9780d11cca50df55912ac45302600
    • Instruction ID: f028fe12181e10fcf0b8f6cc65bb7119aed63f9fbed5abf33cfa6d8015a27f26
    • Opcode Fuzzy Hash: 5b749de10f029ae178c73ab9e397eaf5a0d9780d11cca50df55912ac45302600
    • Instruction Fuzzy Hash: 6F9121B5A593099FC344CF29C080A1EBBE1FF89744F41992EE9989B341E735D985CF82
    Function 6D2EE860 Relevance: .9, Instructions: 941COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 42c5ebcf762d72f09c4ae9e9acfa70ec9b26c8578a4652ec9a71d3cbd8d4653e
    • Instruction ID: f4e560ec18b1442ac9efdecc859101ee410f8952a78db98500467a87257d6365
    • Opcode Fuzzy Hash: 42c5ebcf762d72f09c4ae9e9acfa70ec9b26c8578a4652ec9a71d3cbd8d4653e
    • Instruction Fuzzy Hash: 9E827F75A4834A8BC329CE09C49179AF7F2BBDD340F95892ED5ADD3350E770A905CB82
    Function 6D2F6D40 Relevance: .6, Instructions: 601COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f9ace234b2b29d26e94a30449fd797eddcebfa960cb44b20eae31ca6712b2bed
    • Instruction ID: bd8a3f5a796f38bb3d67d75b0d85842a293676aef71a06ac8aaa47bedf737eee
    • Opcode Fuzzy Hash: f9ace234b2b29d26e94a30449fd797eddcebfa960cb44b20eae31ca6712b2bed
    • Instruction Fuzzy Hash: C2226F72ADC34A8BD724CE65C49076BF7E2BBC5705F558C3DE98587240EB71980A8B82
    Function 6D2F4E40 Relevance: .5, Instructions: 530COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 21bd2f41a602aa07fc5debc7d47b95e2fd8ab7f64272206a506c995cf35f6b31
    • Instruction ID: e272bc0a2b47de1957ea1a06b20147755b8230b294ee7243642c82a6c4e6d005
    • Opcode Fuzzy Hash: 21bd2f41a602aa07fc5debc7d47b95e2fd8ab7f64272206a506c995cf35f6b31
    • Instruction Fuzzy Hash: 18129872A487098FD324DE5DC98124AF7E6BBC4304F55CA3DE9588B355EB70E9098B82
    Function 6D29C080 Relevance: .5, Instructions: 477COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b4c4f46cc71c1c78f8dddf8acda93526823b6d1b84b69443539fa75e45fa7e98
    • Instruction ID: ddeae22db5936f17e10f56e044e9238c7507e32c9e6a1297f0a9177d11aa90bf
    • Opcode Fuzzy Hash: b4c4f46cc71c1c78f8dddf8acda93526823b6d1b84b69443539fa75e45fa7e98
    • Instruction Fuzzy Hash: 2AE12833B9971A4BD315DDAEC8C025EB2D2ABC8754F09863CDD649B380FA75DC0A96C1
    Function 6D2CBD40 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 661093879ea36bd4512d47b3f328d0bd37b54722894b291a0dfce3d0a994259b
    • Instruction ID: f21808a5662ec26cfcac31692473a347371d0db9aa6dffb614bf7b511b03c8a1
    • Opcode Fuzzy Hash: 661093879ea36bd4512d47b3f328d0bd37b54722894b291a0dfce3d0a994259b
    • Instruction Fuzzy Hash: 32028E3164C34A8FC364CE68C480A2AF7E1BF89708F558A3DE9998B341D731ED45DB92
    Function 6D29BB10 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cf791265e4265e4548c2f0d2e7e88cf50c6b5344c60adf15131d97298188ab9c
    • Instruction ID: 1eef969108f243048bbb121d37afc7b34184a34712f68b13629eb2ed2b9380c5
    • Opcode Fuzzy Hash: cf791265e4265e4548c2f0d2e7e88cf50c6b5344c60adf15131d97298188ab9c
    • Instruction Fuzzy Hash: 8FE1D533E2472507D3149E59CC80249B2D2ABC8670F4EC73DDD95AB781E9B4ED5987C2
    Function 6D2F6860 Relevance: .4, Instructions: 408COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ac76dc7d64efaacfcd95758d6a4d2900dd1ff75d197472e3d3e59f5e14cef633
    • Instruction ID: 898d3ee3be3c61fb554264b7ed0310478ea36caff571ab4c901e7f64c0cdb514
    • Opcode Fuzzy Hash: ac76dc7d64efaacfcd95758d6a4d2900dd1ff75d197472e3d3e59f5e14cef633
    • Instruction Fuzzy Hash: E7E18172ADC36A8BC305CF25C49021EFBE2FBC5706F458D6DE8959B241E77199068BC2
    Function 6D2880A0 Relevance: .4, Instructions: 378COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 68398b54a7dd4d375e656f2f9b4aead1c4d1b5e699226e52caa940cdc728e045
    • Instruction ID: 8bf4a723c4e95387c5e363c1c40ba57e17f4100ef7ae8c43b76e00f3cc726793
    • Opcode Fuzzy Hash: 68398b54a7dd4d375e656f2f9b4aead1c4d1b5e699226e52caa940cdc728e045
    • Instruction Fuzzy Hash: 8AC1E432B4831A4FC719DE2CD89061EF7E2ABC8304F59863DE9558B3A5E774EC098781
    Function 6D2CD800 Relevance: .4, Instructions: 368COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5a6d1f32132384a7430371a7937375848703d65a9f985ecd88846aacb74b70bd
    • Instruction ID: 8b3e5dff11c802ee1a8c3317829ec2904f88dc3d9a7860335fc70cc6d7ddf783
    • Opcode Fuzzy Hash: 5a6d1f32132384a7430371a7937375848703d65a9f985ecd88846aacb74b70bd
    • Instruction Fuzzy Hash: C5E1B57558C35A8FC355DF28C4C092AFBE1AFCA204F058A7DE9958B392D730E945CB92
    Function 6D2AE240 Relevance: .3, Instructions: 331COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7df2e131b3f698b10f56f57561656781e1184700c329cdfb9cdb294675790780
    • Instruction ID: 2b4eafe73e5288195d71591caa84bba99019e8af75a28b950af2766e27c8c810
    • Opcode Fuzzy Hash: 7df2e131b3f698b10f56f57561656781e1184700c329cdfb9cdb294675790780
    • Instruction Fuzzy Hash: CFF1D07464C3958FC365CF29C090B5ABBE2BFC9704F58892EE9D887351DB31A846CB52
    Function 6D302F90 Relevance: .3, Instructions: 286COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6dedd9f5bfd2d13a996954f151ec096ded5cef20d1b3995d27e06ca1e937fcba
    • Instruction ID: fd199561ed70f3b63679f05e320171ba09a5ee4daeab492f16bcfc4c7da22810
    • Opcode Fuzzy Hash: 6dedd9f5bfd2d13a996954f151ec096ded5cef20d1b3995d27e06ca1e937fcba
    • Instruction Fuzzy Hash: 21C1527060432A4FC251CE5EDCC0A6A73E1AB4821DF91867D96448F7C3DA3AF46B97A4
    Function 6D303350 Relevance: .3, Instructions: 286COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f454795d767a60ab29fc79ebb1614b507fbfd3fc089c9618d848c695edee17a6
    • Instruction ID: 04f5e83432a07262a340125278e982dff6b16a2d41b433df936fba1d468b3336
    • Opcode Fuzzy Hash: f454795d767a60ab29fc79ebb1614b507fbfd3fc089c9618d848c695edee17a6
    • Instruction Fuzzy Hash: 04C1527060432A4FC251CE5EDCC0A6A73E1AB4821DF91867D96448F7C3DA3AF46B97A4
    Function 6D29C6D0 Relevance: .3, Instructions: 285COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bae8244f844e0c26295651cbf6f646d6bbe648cae92fa7aa157f80869c5eef5a
    • Instruction ID: eb74a5fe1a166f98eeceeed6b0cab12c6de023e9e5b72a1cd71e62c2257c9920
    • Opcode Fuzzy Hash: bae8244f844e0c26295651cbf6f646d6bbe648cae92fa7aa157f80869c5eef5a
    • Instruction Fuzzy Hash: E791683268971A4FC31ACE9EC4D056EB3E2FBC8744F55873CE9694B380EB719909C681
    Function 6D29CA30 Relevance: .3, Instructions: 281COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: be593317a504f43279975f0338addb88f466b06e14442c97046fbe10ba407fb1
    • Instruction ID: a91ac0d7b1d8bc15bc9223f6caf93dde4b5546d5cfa6cc15bdcbf72a82b1ad40
    • Opcode Fuzzy Hash: be593317a504f43279975f0338addb88f466b06e14442c97046fbe10ba407fb1
    • Instruction Fuzzy Hash: 54815737A9832E0FD726CDAA88D061D7692ABC8718F0A463CD9748F3C5FB71990592D1
    Function 6D29AD50 Relevance: .3, Instructions: 276COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0fdaa9f86a81846a4630ed1f2981addc8e3640836c1e11a049c7de75aa77565d
    • Instruction ID: 44c25e3637096847237019ff3c8d434a933809b57e35c996bb74a9c720c0ca42
    • Opcode Fuzzy Hash: 0fdaa9f86a81846a4630ed1f2981addc8e3640836c1e11a049c7de75aa77565d
    • Instruction Fuzzy Hash: 3091C776A187194BD304DE59CCC0659B3E2BBC8324F49C63CECA89B345E674EE49CB81
    Function 6D2732A0 Relevance: .2, Instructions: 219COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0c410ddbee6fb31044fc9187a6fb56736b08d0103d1551608ae9384a17d56877
    • Instruction ID: 95a25fd5f74ed6939974201288ecf01b11412851693e1a03a711df5a1344ad32
    • Opcode Fuzzy Hash: 0c410ddbee6fb31044fc9187a6fb56736b08d0103d1551608ae9384a17d56877
    • Instruction Fuzzy Hash: A881FAB2A183148FC324DF19D88095AF7E2BFC9748F46892DF988D7311D771E9158B86
    Function 6D299030 Relevance: .2, Instructions: 193COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 34b5d01f17d382e0b8389d20ed13a8f0eb1316b6a142351f26b2027209f4657d
    • Instruction ID: ce1cf3290e559bfff86ecd4d643dc969d9ca25313687f23cd511c2bbb8c8026c
    • Opcode Fuzzy Hash: 34b5d01f17d382e0b8389d20ed13a8f0eb1316b6a142351f26b2027209f4657d
    • Instruction Fuzzy Hash: 3591A9B4A093459FC308CF29C090A1ABBF0FF89748F419A6EE9999B350D730E945CF46
    Function 6D272CA6 Relevance: .2, Instructions: 161COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a74e3cdcd30a4e377c87d22d140c510c8f9e31ee98ac193ba90d7c9e73e1ccf2
    • Instruction ID: 7004aabff31d55f5379af5383b4ceebe240a4dd2e747694d1cd56353b9a47ad6
    • Opcode Fuzzy Hash: a74e3cdcd30a4e377c87d22d140c510c8f9e31ee98ac193ba90d7c9e73e1ccf2
    • Instruction Fuzzy Hash: C051667090C3A44AE3159F6F48D402AFFE1AFC6301F884A6EF5E443392D5B89515DB6A
    Function 6D272CA0 Relevance: .2, Instructions: 160COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3556f0dec027b7a8a34c39637a8d966ec46c259e3c20f07d1d931cd3bc2a7f16
    • Instruction ID: 46199d3b35ea6bea29e8d64fcec7e9974cd048b4e55523e3a8ab1842f8767181
    • Opcode Fuzzy Hash: 3556f0dec027b7a8a34c39637a8d966ec46c259e3c20f07d1d931cd3bc2a7f16
    • Instruction Fuzzy Hash: D351767090C3A44AE3158F6F48D402AFFF1AFCA301F884A6EF5E443392D5B89515DB6A
    Function 6D29D9C5 Relevance: .1, Instructions: 134COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f0604afbd14a781d6e81ec6b0dd3395933987435d02435ac9ff9ae27f66c7542
    • Instruction ID: af8c9a3b9be94a525f702f90024e30e97326f248826d2c6887e3831c7fb718c2
    • Opcode Fuzzy Hash: f0604afbd14a781d6e81ec6b0dd3395933987435d02435ac9ff9ae27f66c7542
    • Instruction Fuzzy Hash: 4F516BB56493168FC358DF69C490A1AB7E0BF88604F0586BCDD599B391D731EC45CBC2
    Function 6D27BE90 Relevance: .1, Instructions: 116COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4c484a44894dc4115468cd61ec2dbf7e33d5787e9d3211c9cdd2b7dac44110f9
    • Instruction ID: 548e7c2b35f0172f8ea8a62ac686e9c3a8bce25bcde8b06341c29fa00abd3c87
    • Opcode Fuzzy Hash: 4c484a44894dc4115468cd61ec2dbf7e33d5787e9d3211c9cdd2b7dac44110f9
    • Instruction Fuzzy Hash: 8D41C470918F094FC356DE39C49031AB3E5BFCA784F50872EE95A6B351EB319882DB42
    Function 6D27FBC0 Relevance: .1, Instructions: 97COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d54e186cb3c33f4445b21809b5822c91b6a4f7b5346a305a90e4f3f0e276b9f2
    • Instruction ID: 1322a44007a03b4e86e8489683701707acc9433df1173d7c46a94afcfeda4002
    • Opcode Fuzzy Hash: d54e186cb3c33f4445b21809b5822c91b6a4f7b5346a305a90e4f3f0e276b9f2
    • Instruction Fuzzy Hash: BD3161B385971D8BD310AF498C40149F7E2AFD0B20F5E8A5ED9A417301EBB0AA15CBC7
    Function 6D2790F0 Relevance: .1, Instructions: 76COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5df169569e3dc574df6b2779c200f4dc1eaec5978bdb02975fa2951ea0b74e9b
    • Instruction ID: 7e4d36dc921d2e37b118e3a6ea352048742347e23a21746efb3f3a71ec8287f6
    • Opcode Fuzzy Hash: 5df169569e3dc574df6b2779c200f4dc1eaec5978bdb02975fa2951ea0b74e9b
    • Instruction Fuzzy Hash: 1221FF3175421A8FDB28CE39C8E0626B7F3ABCA610B59856CD5458B2A4DA34A819CB46
    Function 6D2A1C90 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ebe2ad3b3288466bafa12fcc304c5c3bc66d7ac92ec3706b607333eabd6ca4e5
    • Instruction ID: d625327d4ef96fd6f82193009de7f3b89fd5ac56fd3a884ca6bbba47b6c19bc0
    • Opcode Fuzzy Hash: ebe2ad3b3288466bafa12fcc304c5c3bc66d7ac92ec3706b607333eabd6ca4e5
    • Instruction Fuzzy Hash: F811BF746483499FC70ACF24C0A0B69B7F5FF8A318F49486DD48A4B390C7369848CF52
    Function 6D2D73A0 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2c6156a91d9590d45a857fb274d09253b22326fa0ab916274ef08204b2856b87
    • Instruction ID: f8ab08444bf18878a0e545fb45d5b54145f8a206b2ad0d0b6dc61c7bdd90f6a7
    • Opcode Fuzzy Hash: 2c6156a91d9590d45a857fb274d09253b22326fa0ab916274ef08204b2856b87
    • Instruction Fuzzy Hash: 37112DB4600B108FC398DF59C0D4E65B3E1FB8D200B8A81BDDB0E8B766C670A815DB85
    Function 6D2DC1E0 Relevance: .0, Instructions: 10COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e86df52b71e2fdedcddfb16879da38f1e751a9f39bff4ddbc80a0a882dbecb4b
    • Instruction ID: fd0f3261bc520df95a2002595c65e7ff401152010678f2ec41c7c7f95129f940
    • Opcode Fuzzy Hash: e86df52b71e2fdedcddfb16879da38f1e751a9f39bff4ddbc80a0a882dbecb4b
    • Instruction Fuzzy Hash: 0AC04CB086E3766DE791CB188140756BEE8ABCA741F84C499E148C2144C375C680A615
    Function 6D30B7C0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1425 6d30b7c0-6d30b830 call 6d30c560 fwrite call 6d30c560 vfprintf abort 1431 6d30b940-6d30b942 1425->1431 1432 6d30b836-6d30b83d 1425->1432 1433 6d30b85e-6d30b86a call 6d30c010 1431->1433 1434 6d30b840-6d30b844 1432->1434 1440 6d30b870-6d30b8b6 call 6d30c150 VirtualQuery 1433->1440 1441 6d30b967-6d30b991 call 6d30b7c0 1433->1441 1435 6d30b854-6d30b85c 1434->1435 1436 6d30b846-6d30b84e 1434->1436 1435->1433 1435->1434 1436->1435 1438 6d30b8d7-6d30b8dd 1436->1438 1446 6d30b947-6d30b95e 1440->1446 1447 6d30b8bc-6d30b8c6 1440->1447 1449 6d30b9a0-6d30b9e9 call 6d30c090 call 6d30c450 1441->1449 1450 6d30b993-6d30b99a 1441->1450 1446->1441 1453 6d30b962 call 6d30b7c0 1446->1453 1451 6d30b8d0 1447->1451 1452 6d30b8c8-6d30b8ce 1447->1452 1449->1450 1462 6d30b9eb-6d30b9f4 1449->1462 1450->1449 1451->1438 1452->1451 1454 6d30b8e0-6d30b91e VirtualProtect 1452->1454 1453->1441 1454->1451 1456 6d30b920-6d30b93d GetLastError call 6d30b7c0 1454->1456 1456->1431 1463 6d30bab0-6d30bab2 1462->1463 1464 6d30b9fa 1462->1464 1465 6d30bc28 1463->1465 1466 6d30bab8-6d30baca 1463->1466 1467 6d30b9ff-6d30ba03 1464->1467 1470 6d30bc2d-6d30bc33 1465->1470 1466->1467 1468 6d30bad0-6d30bad5 1466->1468 1469 6d30ba09 1467->1469 1467->1470 1471 6d30ba0c-6d30ba0e 1468->1471 1469->1471 1470->1450 1472 6d30bc39-6d30bc3c 1470->1472 1471->1470 1473 6d30ba14-6d30ba1a 1471->1473 1474 6d30bc40-6d30bc65 call 6d30b820 1472->1474 1475 6d30ba20-6d30ba29 1473->1475 1476 6d30bc6f-6d30bc7f call 6d30b7c0 1473->1476 1482 6d30bc67-6d30bc6a 1474->1482 1475->1450 1478 6d30ba2f-6d30ba32 1475->1478 1481 6d30ba38-6d30ba5e 1478->1481 1484 6d30bb00-6d30bb10 1481->1484 1485 6d30ba64-6d30ba67 1481->1485 1486 6d30bb12 1484->1486 1487 6d30bb17-6d30bb20 1484->1487 1488 6d30bae0-6d30bae3 1485->1488 1489 6d30ba69-6d30ba7c 1485->1489 1486->1487 1494 6d30bb22-6d30bb28 1487->1494 1495 6d30bb3a-6d30bb42 call 6d30b820 1487->1495 1490 6d30bbc0-6d30bbcf 1488->1490 1491 6d30bae9-6d30baf9 call 6d30b7c0 1488->1491 1492 6d30bc10-6d30bc1e call 6d30b820 1489->1492 1493 6d30ba82-6d30ba84 1489->1493 1497 6d30bbd1 1490->1497 1498 6d30bbd6-6d30bbdf 1490->1498 1491->1484 1509 6d30bb49-6d30bb52 1492->1509 1493->1492 1500 6d30ba8a-6d30baac call 6d30b7c0 1493->1500 1494->1500 1501 6d30bb2e-6d30bb34 1494->1501 1495->1509 1497->1498 1505 6d30bbe1-6d30bbe7 1498->1505 1506 6d30bbf6-6d30bc06 call 6d30b820 1498->1506 1500->1463 1501->1495 1501->1500 1505->1500 1510 6d30bbed-6d30bbf0 1505->1510 1506->1492 1506->1509 1509->1481 1513 6d30bb58-6d30bb63 1509->1513 1510->1500 1510->1506 1513->1450 1515 6d30bb69-6d30bb72 1513->1515 1516 6d30bb78-6d30bb88 1515->1516 1517 6d30bba4-6d30bbad 1516->1517 1518 6d30bb8a-6d30bba1 VirtualProtect 1516->1518 1517->1516 1519 6d30bbaf-6d30bbb6 1517->1519 1518->1517
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6D30B7E8
    • Address %p has no image-section, xrefs: 6D30B96B
    • VirtualProtect failed with code 0x%x, xrefs: 6D30B926
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6D30B957
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtualabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
    • API String ID: 2513968241-1534286854
    • Opcode ID: 1354a0be62cd66168bfeb1445581a5c2deb34b89f2418f3c8f0d761d79771d43
    • Instruction ID: cf4f6618748d2c3370d0135d4ad942b2872abfed8ec8bc6557c88752a32595b4
    • Opcode Fuzzy Hash: 1354a0be62cd66168bfeb1445581a5c2deb34b89f2418f3c8f0d761d79771d43
    • Instruction Fuzzy Hash: 3A5157B19093059FC710DF28C88565ABBF4FF85758F45C92DE9988B250E735E8448BA2
    Function 6D304C10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 162stringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID: #
    • API String ID: 533997002-1885708031
    • Opcode ID: 79b31c14e5e8ae775c9a928ed07ca5f342a297ef0fe6da5416149e388288266d
    • Instruction ID: ae7419d2e3d15c7008c39168686e940c6f7769ab244d5d8a21397c655201de2c
    • Opcode Fuzzy Hash: 79b31c14e5e8ae775c9a928ed07ca5f342a297ef0fe6da5416149e388288266d
    • Instruction Fuzzy Hash: 54519871A093158FC310DF29D08065AB7E9FFDC304F01892EEA98D7241E730EA4ACB92
    Function 6D306058 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 45COMMON
    Download Yara Rule
    APIs
    Strings
    • runtime: failed to signal runtime initialization complete., xrefs: 6D3060E8
    • unexpected cgo_bindm on Windows, xrefs: 6D306070
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabort$Event
    • String ID: runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
    • API String ID: 123483900-760755518
    • Opcode ID: 7d84df721ae7ccd63690827c74a15b2d553cff887f4d5a6e26c389b6dac5da66
    • Instruction ID: 5eb6f8bb3b3ddf435c67a7457a53c3edbdd2cc9cbc98f4ef450c3c12c79009c9
    • Opcode Fuzzy Hash: 7d84df721ae7ccd63690827c74a15b2d553cff887f4d5a6e26c389b6dac5da66
    • Instruction Fuzzy Hash: 3911E9B5808A10DFDB10BFB8C50E36EBBB4BB42349F824A5DD9C553645EB34A448CB53
    Function 6D305156 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 206memoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: Heap$AllocInfoNativeProcessReadSystemmemcpymemsetrealloc
    • String ID: @
    • API String ID: 3801555102-2766056989
    • Opcode ID: 01eda15d91d76c1ff4f0ef846d3b95945437e479e5940a6a3e523954a036cf48
    • Instruction ID: d41af4287c43cdedcfb2c53cde48233b0302607e783dbb2a774c373eb4f1ca79
    • Opcode Fuzzy Hash: 01eda15d91d76c1ff4f0ef846d3b95945437e479e5940a6a3e523954a036cf48
    • Instruction Fuzzy Hash: 5EA1DCB4A087069FCB10CF29C58476AFBE0BF88358F45892DE89997300E774E955CF82
    Function 6D3068E0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: memset
    • String ID: 0$o
    • API String ID: 2221118986-4157579757
    • Opcode ID: ebefbe6945bd7e9b28a0da70524577bbcc1c22ea509cf173d45d016b6e072430
    • Instruction ID: e37c42d01c981354ad12686298e902ed37e6605b4edd89281a802d84a74e3133
    • Opcode Fuzzy Hash: ebefbe6945bd7e9b28a0da70524577bbcc1c22ea509cf173d45d016b6e072430
    • Instruction Fuzzy Hash: 9CF18171A046198FCB01CF69C48079DBBF6BF89360F19C229D994AB399D734E985CBD0
    Function 6D308050 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: _errno
    • String ID: @$Inf$NaN
    • API String ID: 2918714741-141429178
    • Opcode ID: 5cf846c52165d6b3700c17cbc315d734272edcbe0ace0150d2adb2e742fb54d5
    • Instruction ID: 67e5e24ca640356941514aa514fb4d13fe85edda83592798e0e3b8e1f5e9eab5
    • Opcode Fuzzy Hash: 5cf846c52165d6b3700c17cbc315d734272edcbe0ace0150d2adb2e742fb54d5
    • Instruction Fuzzy Hash: F0F1037160C7868BD721AF28C4907ABBBE5BF85314F058A2DDADC87381D735D906CB92
    Function 6D306E50 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 0$@
    • API String ID: 0-1545510068
    • Opcode ID: db53b3412e21b14b64fd966cdfaba44a868fe3b057c10bed8708d4ee68713ec0
    • Instruction ID: aa16019902ec1b24f5634326a22349f28e671d406eef4073ed919d48131f194f
    • Opcode Fuzzy Hash: db53b3412e21b14b64fd966cdfaba44a868fe3b057c10bed8708d4ee68713ec0
    • Instruction Fuzzy Hash: 41C17DB2E142168BDB05CF6CC88079DBBF5BF89314F15C259E954AB389D335E846CB90
    Function 6D30CD90 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleModule
    • String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
    • API String ID: 667068680-1145701848
    • Opcode ID: c01b5b96616b555d83a36b450294ffef9a88b45ab8639d9ae4eafe75175f0bac
    • Instruction ID: 3b14d1215469e99d6b4a192c34b36615539d268e20e3be31b52c4f0370f8a970
    • Opcode Fuzzy Hash: c01b5b96616b555d83a36b450294ffef9a88b45ab8639d9ae4eafe75175f0bac
    • Instruction Fuzzy Hash: 41F06DB48462029BDB00BF7D9E4636ABEF8AA05215F00453BD885DB245E771E454CBF3
    Function 6D271020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6D271281,?,?,?,?,?,?,6D2713AE), ref: 6D271057
    • _amsg_exit.MSVCRT ref: 6D271086
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: a0cdfa5855b2f426b6ec2c848cdd67df97c9c00398284d1d80158c8395d760e1
    • Instruction ID: d3263cd8bbcd8d2555c84e4a259b03fb843891d2a424b75a05ebdd5338bae994
    • Opcode Fuzzy Hash: a0cdfa5855b2f426b6ec2c848cdd67df97c9c00398284d1d80158c8395d760e1
    • Instruction Fuzzy Hash: 1131B270A592469BDB32AF29C49576B77F8FFC6344F01842EC9848B290D771C8C5CB92
    Function 6D306C79 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: fputc$memset
    • String ID: 0$o
    • API String ID: 2944404495-4157579757
    • Opcode ID: 554f7f9faea69a16024aefb5dd32d29328ec9af7303e668e9847430315f7532b
    • Instruction ID: 2e6b1f84bb28896533f553f47fd2a37382423e1587644597369792c306504c91
    • Opcode Fuzzy Hash: 554f7f9faea69a16024aefb5dd32d29328ec9af7303e668e9847430315f7532b
    • Instruction Fuzzy Hash: E1319CB1A083058FCB00CF69C0D479EB7F5BF88354F018529DA95AB345E378E881CB90
    Function 6D304E70 Relevance: 7.6, APIs: 5, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6D304ECF
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6D305DAF), ref: 6D304F0F
    • malloc.MSVCRT ref: 6D304F44
    • qsort.MSVCRT ref: 6D304FB4
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: d88460f4d57041ad1702f303bd045b89c24664ec9b37215cdcbb0959f95d406b
    • Instruction ID: f4ba3c7d1507f0f953f65ba84a2f128ca32875368f3f30ce935496c046eee9d5
    • Opcode Fuzzy Hash: d88460f4d57041ad1702f303bd045b89c24664ec9b37215cdcbb0959f95d406b
    • Instruction Fuzzy Hash: 1B4187726183018FC310EF29D48062ABBF5FF9C344F46892DE9898B350E771E945CB92
    Function 6D3059F0 Relevance: 7.6, APIs: 5, Instructions: 84threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastLocaleThread
    • String ID:
    • API String ID: 1348403374-0
    • Opcode ID: 582f5d3c0b0db59f3c157aaec600362e9dfb0693e2078fae2f6014411a8c183a
    • Instruction ID: bed6a069839bbe77c9b7e15bf7dc92ef1b4e640d8111c0b3c136286fc98f0734
    • Opcode Fuzzy Hash: 582f5d3c0b0db59f3c157aaec600362e9dfb0693e2078fae2f6014411a8c183a
    • Instruction Fuzzy Hash: 1A21D5716142019FD700EB39C88466BB7F5BF89325F09CA29E5A9C73D0EB35E8448B92
    Function 6D30C7C0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 01cfb712d85b6e4d619ce68922cd4ea2a4d205ce6739300ed457df455a6d115e
    • Instruction ID: 899b971ac29b19650b103fa30fc32c99917291c8e53def6cff13c9a389ee4592
    • Opcode Fuzzy Hash: 01cfb712d85b6e4d619ce68922cd4ea2a4d205ce6739300ed457df455a6d115e
    • Instruction Fuzzy Hash: B7116D719082118FEB40DF28C48075ABBE4FF89714F15CAA9D998CF285EB34C845CBB2
    Function 6D305FC0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6D305FF0
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D3046F9), ref: 6D305FFC
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D3046F9), ref: 6D30600E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D3046F9), ref: 6D30601E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D3046F9), ref: 6D306030
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 89279f7af936193e43b3851cc6fb319ddd4c3966b36012d00e3d8fc886df6153
    • Instruction ID: 34d05532b38b0f25e5b4dc37c94f547a2a266ae174b9b0d2d38c785b1734287f
    • Opcode Fuzzy Hash: 89279f7af936193e43b3851cc6fb319ddd4c3966b36012d00e3d8fc886df6153
    • Instruction Fuzzy Hash: 6B0192B5504315DBCB10BF7DC58AA2BBBB8AF46354F01462ED88043A85E730A848CB93
    Function 6D3088EA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: (null)$@
    • API String ID: 0-1380778734
    • Opcode ID: 81ff22d6f3a49dcfd79a84474eeb1188112abf98f3a79563879d560b3d61a75a
    • Instruction ID: a8ae08e4aa48aec24fb8a8d713b27c2b1cdf327512a07dedbfa980d7458899c6
    • Opcode Fuzzy Hash: 81ff22d6f3a49dcfd79a84474eeb1188112abf98f3a79563879d560b3d61a75a
    • Instruction Fuzzy Hash: A6A1CD3160C7968BD721EF24C4903ABBBE5BF86318F108A1DD9D897381D736D946CB92
    Function 6D30B980 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187COMMON
    Download Yara Rule
    Strings
    • %d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6D30BAA0
    • Unknown pseudo relocation bit size %d., xrefs: 6D30BAED
    • Unknown pseudo relocation protocol version %d., xrefs: 6D30BC73
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
    • API String ID: 0-1286557213
    • Opcode ID: bc145a01dabf02b8659c4717c81000b46e1e9caaba9a7b0d56d8d0063f7b31d5
    • Instruction ID: 85bf23be7f1a2d9856609e39852215742e49f1b6674c54d1b22f9b13863ce421
    • Opcode Fuzzy Hash: bc145a01dabf02b8659c4717c81000b46e1e9caaba9a7b0d56d8d0063f7b31d5
    • Instruction Fuzzy Hash: E371AA75D14A0ADBCB10CF2DC880BAAB7F8BF45318F05852AD994EB608D371A905CB92
    Function 6D306243 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 6D30625F
    • abort.MSVCRT ref: 6D3062A2
    • free.MSVCRT ref: 6D3062C5
      • Part of subcall function 6D306170: _beginthread.MSVCRT ref: 6D306196
      • Part of subcall function 6D306170: _errno.MSVCRT ref: 6D3061A1
      • Part of subcall function 6D306170: _errno.MSVCRT ref: 6D3061A8
      • Part of subcall function 6D306170: abort.MSVCRT ref: 6D3061CD
    Strings
    • runtime/cgo: out of memory in thread_start, xrefs: 6D306292
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfreemalloc
    • String ID: runtime/cgo: out of memory in thread_start
    • API String ID: 2078976911-3894583329
    • Opcode ID: 3900bf934eaafe605a195654011c7aafe98e033d10b19122d9085dba8f89575b
    • Instruction ID: 7200c435e81cf903f3bc129b1cf20a81bddf777418f5243400f8d03a8f8a1b0a
    • Opcode Fuzzy Hash: 3900bf934eaafe605a195654011c7aafe98e033d10b19122d9085dba8f89575b
    • Instruction Fuzzy Hash: EF21C4B59087009FC700EF68C58491AFBF8FF89304F46899DDAC89B325D734A881CB92
    Function 6D305E90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6D305EB2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D305F65), ref: 6D305ECB
    • abort.MSVCRT ref: 6D305EF5
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6D305EE5
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabort
    • String ID: runtime: failed to create runtime initialization wait event.
    • API String ID: 3843693739-3277801083
    • Opcode ID: a654d8bf60515c9d5cd8517bd1f3bd3ca12de2205cceb591507842d3a3830371
    • Instruction ID: 7cf3abf5d2073d671a4aa45289611731d9366f3c96fd49cbaa8f154ea1a63de3
    • Opcode Fuzzy Hash: a654d8bf60515c9d5cd8517bd1f3bd3ca12de2205cceb591507842d3a3830371
    • Instruction Fuzzy Hash: 91F017B0409B01EBEB00BF78C50E36EBBF4BB41345F85895DD5D986681EB7A8044CB93
    Function 6D30CD48 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: atoisetlocalestrchr
    • String ID: .
    • API String ID: 1223908000-248832578
    • Opcode ID: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
    • Instruction ID: ef90da18f48c56a531bf0b839bccf68dd15594a7bd0425d588822246a0d6b50e
    • Opcode Fuzzy Hash: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
    • Instruction Fuzzy Hash: CDE012B19087014BD7007F38C50936EBAE2BF80309F8AD86CD6C887344E779D485DB62
    Function 6D30C8F0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
    Download Yara Rule
    APIs
    • IsDBCSLeadByteEx.KERNEL32 ref: 6D30C942
    • MultiByteToWideChar.KERNEL32 ref: 6D30C985
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: Byte$CharLeadMultiWide
    • String ID:
    • API String ID: 2561704868-0
    • Opcode ID: 23a2a2031e9914caaec7b657b846388f2685089932f92b96a3fa73b909673714
    • Instruction ID: 58a05d7ec494794692fc428762ddfdeb54bce003f8528cbe02dba70ae177a863
    • Opcode Fuzzy Hash: 23a2a2031e9914caaec7b657b846388f2685089932f92b96a3fa73b909673714
    • Instruction Fuzzy Hash: F931F3B15093428FD700DF29D58535ABBF0BF86354F00892EE9D48B294E3B6D949CB63
    Function 6D308248 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @$u
    • API String ID: 0-1583100103
    • Opcode ID: 7519b59189300335a23d4584427f5ef3ad5f91ef0b06ef573a1bc3a4d30808a5
    • Instruction ID: 30c226b81c22269b91d1bd65ad5be29e1bb2502898ea61b29a37e78eabb90232
    • Opcode Fuzzy Hash: 7519b59189300335a23d4584427f5ef3ad5f91ef0b06ef573a1bc3a4d30808a5
    • Instruction Fuzzy Hash: C1A1CE3050C7968BC721EF24C4803ABBBE5BF85358F108A1DE9D897381D735D94ACB92
    Function 6D308911 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON
    Download Yara Rule
    APIs
    • wcslen.MSVCRT ref: 6D308AAE
      • Part of subcall function 6D306520: fputc.MSVCRT ref: 6D3065E8
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: fputcwcslen
    • String ID: (null)$@
    • API String ID: 1336801768-1380778734
    • Opcode ID: 635db4e6824b2ff8ca981c2fd9c74fb0fd305c89958fadda0386459d722e9df9
    • Instruction ID: 05b2894b7ea9ec283cb771899f157916696a8482a3d650de216cf23e8670ce4f
    • Opcode Fuzzy Hash: 635db4e6824b2ff8ca981c2fd9c74fb0fd305c89958fadda0386459d722e9df9
    • Instruction Fuzzy Hash: 1691CF3160C7968BD721AF24C0903ABBBE5BF86358F108A1DD9DC97381D736D946CB92
    Function 6D3066A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: fputc
    • String ID: NaN
    • API String ID: 1992160199-1757892521
    • Opcode ID: cf7614440ec6851ca82ea40031330610d20ebf86e678fa2553d9f1a1c36698a7
    • Instruction ID: 069640c3b7e5095d1c1926fd909f7e6ccec66acdceec44eaa24f8aa44aebe361
    • Opcode Fuzzy Hash: cf7614440ec6851ca82ea40031330610d20ebf86e678fa2553d9f1a1c36698a7
    • Instruction Fuzzy Hash: 094108B5A05216CBDB10CF18C884756B7E5BF85B14B29C2A9DD988F34ED336D882CBD0
    Function 6D306C36 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: fputc$memset
    • String ID: o
    • API String ID: 2944404495-252678980
    • Opcode ID: 5083fe0debd9753e9b233b695f135e5a28ad9768abfd24fc6a55f8e7a69b9823
    • Instruction ID: f822bd0e450763d968647a280fd15bca2c80440d861a54a4b49068efade01974
    • Opcode Fuzzy Hash: 5083fe0debd9753e9b233b695f135e5a28ad9768abfd24fc6a55f8e7a69b9823
    • Instruction Fuzzy Hash: 60318DB1A08705CFCB01CF69C19079ABBF5BF48350F058659DA89AB309E775E984CBD0
    Function 6D307114 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: fputc
    • String ID: @
    • API String ID: 1992160199-2766056989
    • Opcode ID: ababd3f75690fbcba9bc1f60d79812ee9903b967bac2f6abc848a8bcbfc8c842
    • Instruction ID: 3526a0a5d9129a4385b80e5c065e003c3a101f06b4964da7a6e138ed8f57eb0a
    • Opcode Fuzzy Hash: ababd3f75690fbcba9bc1f60d79812ee9903b967bac2f6abc848a8bcbfc8c842
    • Instruction Fuzzy Hash: 3D111CF1E182058BCB01CF28C1817967BB1BF85344F25C659EE995F74AD336E841CB55
    Function 6D30A850 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,?,6D30A971,?,?,?,?,?,?,00000000,6D308C14), ref: 6D30A877
    • InitializeCriticalSection.KERNEL32(?,?,?,?,6D30A971,?,?,?,?,?,?,00000000,6D308C14), ref: 6D30A8B4
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,6D30A971,?,?,?,?,?,?,00000000,6D308C14), ref: 6D30A8C0
    • EnterCriticalSection.KERNEL32(?,?,?,?,6D30A971,?,?,?,?,?,?,00000000,6D308C14), ref: 6D30A8E8
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$Initialize$EnterSleep
    • String ID:
    • API String ID: 1117354567-0
    • Opcode ID: 3c31a75383c331da277a0e8bee61328505b28cc762966462ed03e0e7637bef0a
    • Instruction ID: d51da4d283008760f0287cc4d0f2e412521e03d4c7107ea1ea8f36fcff894892
    • Opcode Fuzzy Hash: 3c31a75383c331da277a0e8bee61328505b28cc762966462ed03e0e7637bef0a
    • Instruction Fuzzy Hash: 521161B18051199BDF21AB68E487B7EBBF8EF46350F010526C492C7284E732D8D5C793
    Function 6D30BC80 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1407045005.000000006D271000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D270000, based on PE: true
    • Associated: 00000004.00000002.1407022695.000000006D270000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407137979.000000006D30D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407160230.000000006D30E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407180330.000000006D30F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407232295.000000006D314000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407299696.000000006D3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407320121.000000006D3C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407364158.000000006D3DB000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407383887.000000006D3E2000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407402902.000000006D3E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1407418370.000000006D3E6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d270000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 7bb522cc61136aa32cc7dd41fc12ed62dce3d4331bb63be3bd7f44bc849c028f
    • Instruction ID: d36d7a0f98e3674fe13ad97d1253d6da6f21d44df9ec3fc279d1a428d9aacc14
    • Opcode Fuzzy Hash: 7bb522cc61136aa32cc7dd41fc12ed62dce3d4331bb63be3bd7f44bc849c028f
    • Instruction Fuzzy Hash: A3F0C8759042169FCB10FF78D48AA2B7B7CEE06794F01052ADD854B345DB31E804CBA3

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:13
    Total number of Limit Nodes:1
    execution_graph 54163 6cf3cfc0 54164 6cf3cfd9 54163->54164 54165 6cf3cfe8 WriteFile 54163->54165 54164->54165 54166 6cf66161 54167 6cf66187 _beginthread 54166->54167 54168 6cf661a1 _errno 54167->54168 54169 6cf661d8 54167->54169 54170 6cf661e0 Sleep 54168->54170 54171 6cf661a8 _errno 54168->54171 54170->54167 54172 6cf661f4 54170->54172 54173 6cf661b9 54171->54173 54172->54171 54176 6cf65e60 39 API calls 54173->54176 54175 6cf661cd abort 54175->54169 54176->54175

    Executed Functions

    Function 6CF66161 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6CF661B9
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabort
    • String ID: runtime: failed to create new OS thread (%d)
    • API String ID: 3675047324-3231778263
    • Opcode ID: ddd86feac76be73b7adf27cb2621e57fb485d76d2f857db1fb5c0faf781b3976
    • Instruction ID: e4db10643992404413fadf500f30754d7ae98b9f9d0ea4d92ea9f53c4fe1350f
    • Opcode Fuzzy Hash: ddd86feac76be73b7adf27cb2621e57fb485d76d2f857db1fb5c0faf781b3976
    • Instruction Fuzzy Hash: 9F019E75408720DFCB00BF69C98875EBBB0FF85318F46491DE58993A02C730A444DBA2
    Function 6CF3CFC0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 10 6cf3cfc0-6cf3cfd7 11 6cf3cfd9-6cf3cfe6 10->11 12 6cf3cfe8-6cf3d000 WriteFile 10->12 11->12
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: becea09432b254c885e602a306e6b4818515db8609ec4cff476b2d5aa6b918b9
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 70E0E571505610CFCB15DF28C2C170ABBE1EB88A00F0485A8DE098FB4AD734ED10CBD2

    Non-executed Functions

    Function 6CF6B7C0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1414 6cf6b7c0-6cf6b830 call 6cf6c560 fwrite call 6cf6c560 vfprintf abort 1420 6cf6b836-6cf6b83d 1414->1420 1421 6cf6b940-6cf6b942 1414->1421 1423 6cf6b840-6cf6b844 1420->1423 1422 6cf6b85e-6cf6b86a call 6cf6c010 1421->1422 1429 6cf6b967-6cf6b991 call 6cf6b7c0 1422->1429 1430 6cf6b870-6cf6b8b6 call 6cf6c150 VirtualQuery 1422->1430 1425 6cf6b846-6cf6b84e 1423->1425 1426 6cf6b854-6cf6b85c 1423->1426 1425->1426 1428 6cf6b8d7-6cf6b8dd 1425->1428 1426->1422 1426->1423 1441 6cf6b993-6cf6b99a 1429->1441 1442 6cf6b9a0-6cf6b9e9 call 6cf6c090 call 6cf6c450 1429->1442 1435 6cf6b947-6cf6b95e 1430->1435 1436 6cf6b8bc-6cf6b8c6 1430->1436 1435->1429 1438 6cf6b962 call 6cf6b7c0 1435->1438 1439 6cf6b8d0 1436->1439 1440 6cf6b8c8-6cf6b8ce 1436->1440 1438->1429 1439->1428 1440->1439 1443 6cf6b8e0-6cf6b91e VirtualProtect 1440->1443 1442->1441 1451 6cf6b9eb-6cf6b9f4 1442->1451 1443->1439 1445 6cf6b920-6cf6b93d GetLastError call 6cf6b7c0 1443->1445 1445->1421 1452 6cf6bab0-6cf6bab2 1451->1452 1453 6cf6b9fa 1451->1453 1454 6cf6bc28 1452->1454 1455 6cf6bab8-6cf6baca 1452->1455 1456 6cf6b9ff-6cf6ba03 1453->1456 1457 6cf6bc2d-6cf6bc33 1454->1457 1455->1456 1458 6cf6bad0-6cf6bad5 1455->1458 1456->1457 1459 6cf6ba09 1456->1459 1457->1441 1460 6cf6bc39-6cf6bc3c 1457->1460 1461 6cf6ba0c-6cf6ba0e 1458->1461 1459->1461 1462 6cf6bc40-6cf6bc65 call 6cf6b820 1460->1462 1461->1457 1463 6cf6ba14-6cf6ba1a 1461->1463 1470 6cf6bc67 1462->1470 1465 6cf6ba20-6cf6ba29 1463->1465 1466 6cf6bc6f-6cf6bc9f call 6cf6b7c0 EnterCriticalSection 1463->1466 1465->1441 1468 6cf6ba2f-6cf6ba32 1465->1468 1475 6cf6bcd5-6cf6bcec LeaveCriticalSection 1466->1475 1476 6cf6bca1-6cf6bcad 1466->1476 1471 6cf6ba38-6cf6ba5e 1468->1471 1470->1466 1473 6cf6ba64-6cf6ba67 1471->1473 1474 6cf6bb00-6cf6bb10 1471->1474 1479 6cf6bae0-6cf6bae3 1473->1479 1480 6cf6ba69-6cf6ba7c 1473->1480 1477 6cf6bb17-6cf6bb20 1474->1477 1478 6cf6bb12 1474->1478 1481 6cf6bcb0-6cf6bcc0 TlsGetValue GetLastError 1476->1481 1484 6cf6bb22-6cf6bb28 1477->1484 1485 6cf6bb3a-6cf6bb42 call 6cf6b820 1477->1485 1478->1477 1482 6cf6bbc0-6cf6bbcf 1479->1482 1483 6cf6bae9-6cf6baf9 call 6cf6b7c0 1479->1483 1486 6cf6ba82-6cf6ba84 1480->1486 1487 6cf6bc10-6cf6bc1e call 6cf6b820 1480->1487 1488 6cf6bcc2-6cf6bcc4 1481->1488 1489 6cf6bcce-6cf6bcd3 1481->1489 1491 6cf6bbd6-6cf6bbdf 1482->1491 1492 6cf6bbd1 1482->1492 1483->1474 1493 6cf6bb2e-6cf6bb34 1484->1493 1494 6cf6ba8a-6cf6baac call 6cf6b7c0 1484->1494 1504 6cf6bb49-6cf6bb52 1485->1504 1486->1487 1486->1494 1487->1504 1488->1489 1497 6cf6bcc6-6cf6bcc9 1488->1497 1489->1475 1489->1481 1500 6cf6bbf6-6cf6bc06 call 6cf6b820 1491->1500 1501 6cf6bbe1-6cf6bbe7 1491->1501 1492->1491 1493->1485 1493->1494 1494->1452 1497->1489 1500->1504 1501->1494 1505 6cf6bbed-6cf6bbf0 1501->1505 1504->1471 1508 6cf6bb58-6cf6bb63 1504->1508 1505->1494 1505->1500 1508->1441 1510 6cf6bb69-6cf6bb72 1508->1510 1511 6cf6bb78-6cf6bb88 1510->1511 1512 6cf6bba4-6cf6bbad 1511->1512 1513 6cf6bb8a-6cf6bba1 VirtualProtect 1511->1513 1512->1511 1514 6cf6bbaf-6cf6bbb6 1512->1514 1513->1512
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6CF6B7E8
    • Address %p has no image-section, xrefs: 6CF6B96B
    • VirtualProtect failed with code 0x%x, xrefs: 6CF6B926
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6CF6B957
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtualabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
    • API String ID: 2513968241-1534286854
    • Opcode ID: f0477bb2d857790883738bc70da192688e4628b7362853acb3af6fa058573e08
    • Instruction ID: 3ca98dbed79075727abcb07355afef6f23aade41b80234f883d93c4876da0858
    • Opcode Fuzzy Hash: f0477bb2d857790883738bc70da192688e4628b7362853acb3af6fa058573e08
    • Instruction Fuzzy Hash: 1B514CB19083049FDB00EF6AC984B4AFBF0FF85358F55892DE4988BB10D734D4499B92
    Function 6CF64C10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 162stringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2264 6cf64c10-6cf64c34 call 6cf6c450 2267 6cf64d90-6cf64d9a 2264->2267 2268 6cf64c3a-6cf64c3d 2264->2268 2269 6cf64da0-6cf64da2 2267->2269 2270 6cf64c43-6cf64c5c strlen 2268->2270 2271 6cf64d40-6cf64d7f strtol lstrlenA 2268->2271 2273 6cf64da4-6cf64db1 2269->2273 2274 6cf64dc1-6cf64dc3 2269->2274 2275 6cf64c62-6cf64c7c malloc 2270->2275 2276 6cf64e40-6cf64e48 2270->2276 2271->2270 2272 6cf64d85-6cf64d88 2271->2272 2272->2267 2277 6cf64db3-6cf64dbf 2273->2277 2278 6cf64dd0-6cf64dd3 2273->2278 2279 6cf64d2b-6cf64d37 2274->2279 2280 6cf64c82-6cf64cb0 mbstowcs 2275->2280 2281 6cf64e4d-6cf64e5d SetLastError 2275->2281 2277->2273 2277->2274 2278->2279 2282 6cf64dd9-6cf64de3 2278->2282 2283 6cf64cb6-6cf64cbc 2280->2283 2284 6cf64dfa-6cf64e04 2280->2284 2281->2279 2282->2269 2285 6cf64cc0-6cf64cfc _wcsnicmp 2283->2285 2284->2279 2286 6cf64e0a-6cf64e22 free 2284->2286 2287 6cf64d02-6cf64d0b 2285->2287 2288 6cf64e28 2285->2288 2290 6cf64de8-6cf64df0 2287->2290 2291 6cf64d11-6cf64d13 2287->2291 2289 6cf64e2a-6cf64e34 2288->2289 2288->2290 2293 6cf64df2-6cf64df4 2289->2293 2290->2293 2291->2289 2292 6cf64d19-6cf64d25 2291->2292 2292->2279 2292->2286 2293->2284 2293->2285
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID: #
    • API String ID: 533997002-1885708031
    • Opcode ID: 49fa58ae84383ca6a438221572a4e51f547318a3d4603871e545de1f5ffc8ba7
    • Instruction ID: aa0835a6569469fc29bc741abae617e161e28b3e0940e761d6435cfe557f9aba
    • Opcode Fuzzy Hash: 49fa58ae84383ca6a438221572a4e51f547318a3d4603871e545de1f5ffc8ba7
    • Instruction Fuzzy Hash: 6B519271A083158FC710EF2AD09069ABBE5FFC8308F51892EE998D7B40E730D945CB92
    Function 6CF66058 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 45COMMON
    Download Yara Rule
    APIs
    Strings
    • runtime: failed to signal runtime initialization complete., xrefs: 6CF660E8
    • unexpected cgo_bindm on Windows, xrefs: 6CF66070
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabort$Event
    • String ID: runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
    • API String ID: 123483900-760755518
    • Opcode ID: d3aacf3c6f63635434be26ce32deb8a0320e24907d5d14fd7562c60b82f2e7dd
    • Instruction ID: 994990cbbbccaab24769c96146a2cfd6725300efcf05047eadc83ba9e4e4ca13
    • Opcode Fuzzy Hash: d3aacf3c6f63635434be26ce32deb8a0320e24907d5d14fd7562c60b82f2e7dd
    • Instruction Fuzzy Hash: E51189B1848650CFEB00BFB8C60E75DBAB0BB46305F814A6CD88557A06EB34A599CB53
    Function 6CF6B980 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 226COMMON
    Download Yara Rule
    Strings
    • Unknown pseudo relocation protocol version %d., xrefs: 6CF6BC73
    • Unknown pseudo relocation bit size %d., xrefs: 6CF6BAED
    • %d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6CF6BAA0
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
    • API String ID: 0-1286557213
    • Opcode ID: 9c86117ee2c805c4c8485c9327f1451eab32cb69c8a0b64ca5eba3ea3a6962eb
    • Instruction ID: 9703927cca2385d93a28b1a68b626a17aa18434a4276125b2e81115941a26bfa
    • Opcode Fuzzy Hash: 9c86117ee2c805c4c8485c9327f1451eab32cb69c8a0b64ca5eba3ea3a6962eb
    • Instruction Fuzzy Hash: B791A072D04216DFDB10EF6AC980B9EB7B5FF45308F188A69E8549BB04D330A945DBD2
    Function 6CF65156 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 206memoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: Heap$AllocInfoNativeProcessReadSystemmemcpymemsetrealloc
    • String ID: @
    • API String ID: 3801555102-2766056989
    • Opcode ID: 4ec469b364f44c527d95a14d7d3d9fe3feedc40164f0389f41646e9da410f62a
    • Instruction ID: dade52ed97ea7e5b33cb76126ed8c869b7ecdd15e98c42af49a20eb991f51a26
    • Opcode Fuzzy Hash: 4ec469b364f44c527d95a14d7d3d9fe3feedc40164f0389f41646e9da410f62a
    • Instruction Fuzzy Hash: 83A1D2B4A097469FC710CF2AC58474AFBE0BF88318F54892DE89997B01E774E955CF82
    Function 6CF668E0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: memset
    • String ID: 0$o
    • API String ID: 2221118986-4157579757
    • Opcode ID: ebefbe6945bd7e9b28a0da70524577bbcc1c22ea509cf173d45d016b6e072430
    • Instruction ID: 2ae164045f9f9f7be43a1a26cdd5c6f88b651f1fd9970e9ab436c88a5897bb54
    • Opcode Fuzzy Hash: ebefbe6945bd7e9b28a0da70524577bbcc1c22ea509cf173d45d016b6e072430
    • Instruction Fuzzy Hash: 08F16371A04609CFCB05CF6AC48079DBBF2BF89364F198229E894EBB51D734E945CB90
    Function 6CED13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 081ebe9bfc50cb5fc3187f6bf1b8e856d147a5deb536ee1b1d52757e91f142ad
    • Instruction ID: 75656bb3c86712d3e4ebe88de4e767fe4c200dcdedef2214729799691eafed2f
    • Opcode Fuzzy Hash: 081ebe9bfc50cb5fc3187f6bf1b8e856d147a5deb536ee1b1d52757e91f142ad
    • Instruction Fuzzy Hash: 40012CB2909350DBD710BFF8AA0A31EBFB4AB46265F12452ED98987714D730D445CBA3
    Function 6CF68050 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: _errno
    • String ID: @$Inf$NaN
    • API String ID: 2918714741-141429178
    • Opcode ID: e9a814925ff53a41f327a8b5b5b3144b0f7ed436ed1556fd0abadcc2a5e30f99
    • Instruction ID: 9c1ee3dc33b9685fded04fffe8c9df4ed0568f1ca046c04bbad07ef736014ded
    • Opcode Fuzzy Hash: e9a814925ff53a41f327a8b5b5b3144b0f7ed436ed1556fd0abadcc2a5e30f99
    • Instruction Fuzzy Hash: 61F1C57160C3818BD7218F26C49079BBBE1BF87318F158A1ED9DC97B81D735990ACB82
    Function 6CF66E50 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 0$@
    • API String ID: 0-1545510068
    • Opcode ID: db53b3412e21b14b64fd966cdfaba44a868fe3b057c10bed8708d4ee68713ec0
    • Instruction ID: 2fa3b3fc49db31e2e5bdd1baa9b71ddd5709f232d815082895f24283b444c697
    • Opcode Fuzzy Hash: db53b3412e21b14b64fd966cdfaba44a868fe3b057c10bed8708d4ee68713ec0
    • Instruction Fuzzy Hash: EFC18F72E142159BDB04CF6EC48078EBBF1BF89318F15825AEC94ABB85D375E845CB90
    Function 6CF6CD90 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleModule
    • String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
    • API String ID: 667068680-1145701848
    • Opcode ID: 2021ab191d6a2c74d9396c0dd9fc96bfa589466a03929d8f3b9d2c92471ad3dd
    • Instruction ID: a711d4b388967557be07aa39ccb5fcbc4cb3e2d35b5a9db2902d860ccd327200
    • Opcode Fuzzy Hash: 2021ab191d6a2c74d9396c0dd9fc96bfa589466a03929d8f3b9d2c92471ad3dd
    • Instruction Fuzzy Hash: 06F06DF19892208BAF00BF7D9E0675A7EF4AA09250F10453AD895CBA04E734D489CBA3
    Function 6CED1020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CED1281,?,?,?,?,?,?,6CED13AE), ref: 6CED1057
    • _amsg_exit.MSVCRT ref: 6CED1086
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: e867a5c151efb1546ed0371b93ffc06212b1fbc0297b0e3e7b33664e5cbd1c8c
    • Instruction ID: 44c048f2db77ece89a45f0132baccdfd176e9263ce433f0263ed62b92bc67dc2
    • Opcode Fuzzy Hash: e867a5c151efb1546ed0371b93ffc06212b1fbc0297b0e3e7b33664e5cbd1c8c
    • Instruction Fuzzy Hash: 2F31B7B1A09241CBDB00BFE9C68471A77F0EB8635CF22842CD4548BB00D771E486DB93
    Function 6CF64E70 Relevance: 7.6, APIs: 5, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6CF64ECF
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CF65DAF), ref: 6CF64F0F
    • malloc.MSVCRT ref: 6CF64F44
    • qsort.MSVCRT ref: 6CF64FB4
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: 87e8545dfbd93a8eab8fdf87f60635cf919623fbf42468c78cf03f6afc8ba726
    • Instruction ID: 68af77a5e6465fd6566fa0a6b6cc25771f7270922ed901b363041242d7f13890
    • Opcode Fuzzy Hash: 87e8545dfbd93a8eab8fdf87f60635cf919623fbf42468c78cf03f6afc8ba726
    • Instruction Fuzzy Hash: BA419C716083008FD710EF2AD49061BBBF1FF89718F558A2DE8899BB50E775E845CB82
    Function 6CF659F0 Relevance: 7.6, APIs: 5, Instructions: 84threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastLocaleThread
    • String ID:
    • API String ID: 1348403374-0
    • Opcode ID: 8ec1f5461d211dce32ce072cb2ae9926e461feaf0d2d529afce2737951346359
    • Instruction ID: 9ad84d53cc303c29d340ea9e198fbe38b78c185520f63db3f1e3cd4ebf4cc9f7
    • Opcode Fuzzy Hash: 8ec1f5461d211dce32ce072cb2ae9926e461feaf0d2d529afce2737951346359
    • Instruction Fuzzy Hash: 4921A771614200CFD704EF3AD984657B7F5BF89318F188628E5A9C7B81EB34E4558B92
    Function 6CF6C7C0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 01cfb712d85b6e4d619ce68922cd4ea2a4d205ce6739300ed457df455a6d115e
    • Instruction ID: cedb39a88f48dc94d64e94a736629984bdf9892d80a4eb88d3f0d90c7ec67895
    • Opcode Fuzzy Hash: 01cfb712d85b6e4d619ce68922cd4ea2a4d205ce6739300ed457df455a6d115e
    • Instruction Fuzzy Hash: DF114C715042518FDB50AF3AC48075ABBE0AF49718F15C569D8D8CFB45EB34C844CBA2
    Function 6CF65FC0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6CF65FF0
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CF646F9), ref: 6CF65FFC
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CF646F9), ref: 6CF6600E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CF646F9), ref: 6CF6601E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CF646F9), ref: 6CF66030
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 9fd42e22b0b76cffa9f391b3e0929d89ff1107a7b01ec0941702120dcf892f56
    • Instruction ID: e6e271cabbcd4d68fb6be8221afed403dd9025e1959baa4c2b869fa1f5a67081
    • Opcode Fuzzy Hash: 9fd42e22b0b76cffa9f391b3e0929d89ff1107a7b01ec0941702120dcf892f56
    • Instruction Fuzzy Hash: 7A01B5B1508704CFDB00FF7DC68AA1ABBF4AF86214F01463DE89043A05E730A468CB93
    Function 6CF65CF0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessage
    • String ID: Erro: %s
    • API String ID: 1365068426-2412703935
    • Opcode ID: f88418cb8a2a5eaa31c49efff7f9720a4951a0e3bed9cd5fb39c4250134fe0a4
    • Instruction ID: 8af78bd633a9467cce2cf76e45ef3f6981f19e415748998ae75ec2f69f336076
    • Opcode Fuzzy Hash: f88418cb8a2a5eaa31c49efff7f9720a4951a0e3bed9cd5fb39c4250134fe0a4
    • Instruction Fuzzy Hash: 46014DB05083019FE700AF65D68971EBBF0BB88349F50891DE89897655D7798189CF93
    Function 6CF65E90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6CF65EB2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CF65F65), ref: 6CF65ECB
    • abort.MSVCRT ref: 6CF65EF5
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6CF65EE5
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabort
    • String ID: runtime: failed to create runtime initialization wait event.
    • API String ID: 3843693739-3277801083
    • Opcode ID: 0a22160910d90a86ca964345076a4269486d234a7c9045ad6a01fba419e6f37a
    • Instruction ID: f3f6ee0c81b9c30323c208934be7d84bcd0b642389e79a67261f46b3af14f7d5
    • Opcode Fuzzy Hash: 0a22160910d90a86ca964345076a4269486d234a7c9045ad6a01fba419e6f37a
    • Instruction Fuzzy Hash: 12F03AB0809711DBEB00BF79C61975EBBF0BB41345F81896CD48987A42EB79D0588B93
    Function 6CF6C8F0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
    Download Yara Rule
    APIs
    • IsDBCSLeadByteEx.KERNEL32 ref: 6CF6C942
    • MultiByteToWideChar.KERNEL32 ref: 6CF6C985
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: Byte$CharLeadMultiWide
    • String ID:
    • API String ID: 2561704868-0
    • Opcode ID: b62b4601c3bbfa99d7bf0ff31d15ab5816f20ab4804c97ffbfd52945b4ada8d7
    • Instruction ID: 432f927e84517602647a0deae625bd337ad117c39c7b3b99474a98eb27fc2552
    • Opcode Fuzzy Hash: b62b4601c3bbfa99d7bf0ff31d15ab5816f20ab4804c97ffbfd52945b4ada8d7
    • Instruction Fuzzy Hash: 3B31E5B15093418FDB00EF2AD58474ABBF0BF8A358F14891EE8D587A50D776D948CB53
    Function 6CF666A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: fputc
    • String ID: NaN
    • API String ID: 1992160199-1757892521
    • Opcode ID: cf7614440ec6851ca82ea40031330610d20ebf86e678fa2553d9f1a1c36698a7
    • Instruction ID: 7b24d9b48f3726ae3768deb8eaf26a69581472959dde7dd1f64712f346d7c998
    • Opcode Fuzzy Hash: cf7614440ec6851ca82ea40031330610d20ebf86e678fa2553d9f1a1c36698a7
    • Instruction Fuzzy Hash: 244108B5A05215CBDB10CF1AC484746B7E1AF85708F2983A9EC58CFB4AD736D846CB90
    Function 6CF64FE0 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: b34db4243161b4f53d214387d3c61f414f218c68661b72ab82919242da88aeaf
    • Instruction ID: f511da9eaffa52688ed9a67d9be0d21313665c07ecf0c534e6092cbfff4aba81
    • Opcode Fuzzy Hash: b34db4243161b4f53d214387d3c61f414f218c68661b72ab82919242da88aeaf
    • Instruction Fuzzy Hash: 3021E6B06053019BDB00AF66C5D4B1ABBF0BF84304F55C96DD8899B70AD735D885CF91
    Function 6CF6A850 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,?,6CF6A971,?,?,?,?,?,?,00000000,6CF68C14), ref: 6CF6A877
    • InitializeCriticalSection.KERNEL32(?,?,?,?,6CF6A971,?,?,?,?,?,?,00000000,6CF68C14), ref: 6CF6A8B4
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,6CF6A971,?,?,?,?,?,?,00000000,6CF68C14), ref: 6CF6A8C0
    • EnterCriticalSection.KERNEL32(?,?,?,?,6CF6A971,?,?,?,?,?,?,00000000,6CF68C14), ref: 6CF6A8E8
    Memory Dump Source
    • Source File: 0000000D.00000002.1501963741.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 0000000D.00000002.1501864809.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502223921.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502309429.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502404611.000000006CF6F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502481992.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502803041.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1502888171.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503201518.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503301267.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503365434.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.1503451673.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$Initialize$EnterSleep
    • String ID:
    • API String ID: 1117354567-0
    • Opcode ID: ee3fd9d2faa259be3831237c76f3cfafd145e4bfba4ed7702e323ac372e2fc2b
    • Instruction ID: 7c97cf34ee9d51378d1dddd13ed803dd768f9d68280494e231edb5c131c4b797
    • Opcode Fuzzy Hash: ee3fd9d2faa259be3831237c76f3cfafd145e4bfba4ed7702e323ac372e2fc2b
    • Instruction Fuzzy Hash: B7115BB1C45124CAEB00BB3A9686B5A77F4AB46354F210979C852C7B05E731D4EAC793

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:13
    Total number of Limit Nodes:1
    execution_graph 54163 6cf3cfc0 54164 6cf3cfd9 54163->54164 54165 6cf3cfe8 VirtualAlloc 54163->54165 54164->54165 54166 6cf66161 54167 6cf66187 _beginthread 54166->54167 54168 6cf661a1 _errno 54167->54168 54169 6cf661d8 54167->54169 54170 6cf661e0 Sleep 54168->54170 54171 6cf661a8 _errno 54168->54171 54170->54167 54172 6cf661f4 54170->54172 54173 6cf661b9 54171->54173 54172->54171 54176 6cf65e60 39 API calls 54173->54176 54175 6cf661cd abort 54175->54169 54176->54175

    Executed Functions

    Function 6CF66161 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6CF661B9
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabort
    • String ID: runtime: failed to create new OS thread (%d)
    • API String ID: 3675047324-3231778263
    • Opcode ID: ddd86feac76be73b7adf27cb2621e57fb485d76d2f857db1fb5c0faf781b3976
    • Instruction ID: e4db10643992404413fadf500f30754d7ae98b9f9d0ea4d92ea9f53c4fe1350f
    • Opcode Fuzzy Hash: ddd86feac76be73b7adf27cb2621e57fb485d76d2f857db1fb5c0faf781b3976
    • Instruction Fuzzy Hash: 9F019E75408720DFCB00BF69C98875EBBB0FF85318F46491DE58993A02C730A444DBA2
    Function 6CF3CFC0 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 10 6cf3cfc0-6cf3cfd7 11 6cf3cfd9-6cf3cfe6 10->11 12 6cf3cfe8-6cf3d000 VirtualAlloc 10->12 11->12
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: becea09432b254c885e602a306e6b4818515db8609ec4cff476b2d5aa6b918b9
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 70E0E571505610CFCB15DF28C2C170ABBE1EB88A00F0485A8DE098FB4AD734ED10CBD2

    Non-executed Functions

    Function 6CF6B7C0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1414 6cf6b7c0-6cf6b830 call 6cf6c560 fwrite call 6cf6c560 vfprintf abort 1420 6cf6b836-6cf6b83d 1414->1420 1421 6cf6b940-6cf6b942 1414->1421 1423 6cf6b840-6cf6b844 1420->1423 1422 6cf6b85e-6cf6b86a call 6cf6c010 1421->1422 1429 6cf6b967-6cf6b991 call 6cf6b7c0 1422->1429 1430 6cf6b870-6cf6b8b6 call 6cf6c150 VirtualQuery 1422->1430 1425 6cf6b846-6cf6b84e 1423->1425 1426 6cf6b854-6cf6b85c 1423->1426 1425->1426 1428 6cf6b8d7-6cf6b8dd 1425->1428 1426->1422 1426->1423 1441 6cf6b993-6cf6b99a 1429->1441 1442 6cf6b9a0-6cf6b9e9 call 6cf6c090 call 6cf6c450 1429->1442 1435 6cf6b947-6cf6b95e 1430->1435 1436 6cf6b8bc-6cf6b8c6 1430->1436 1435->1429 1438 6cf6b962 call 6cf6b7c0 1435->1438 1439 6cf6b8d0 1436->1439 1440 6cf6b8c8-6cf6b8ce 1436->1440 1438->1429 1439->1428 1440->1439 1443 6cf6b8e0-6cf6b91e VirtualProtect 1440->1443 1442->1441 1451 6cf6b9eb-6cf6b9f4 1442->1451 1443->1439 1445 6cf6b920-6cf6b93d GetLastError call 6cf6b7c0 1443->1445 1445->1421 1452 6cf6bab0-6cf6bab2 1451->1452 1453 6cf6b9fa 1451->1453 1454 6cf6bc28 1452->1454 1455 6cf6bab8-6cf6baca 1452->1455 1456 6cf6b9ff-6cf6ba03 1453->1456 1457 6cf6bc2d-6cf6bc33 1454->1457 1455->1456 1458 6cf6bad0-6cf6bad5 1455->1458 1456->1457 1459 6cf6ba09 1456->1459 1457->1441 1460 6cf6bc39-6cf6bc3c 1457->1460 1461 6cf6ba0c-6cf6ba0e 1458->1461 1459->1461 1462 6cf6bc40-6cf6bc65 call 6cf6b820 1460->1462 1461->1457 1463 6cf6ba14-6cf6ba1a 1461->1463 1470 6cf6bc67 1462->1470 1465 6cf6ba20-6cf6ba29 1463->1465 1466 6cf6bc6f-6cf6bc9f call 6cf6b7c0 EnterCriticalSection 1463->1466 1465->1441 1468 6cf6ba2f-6cf6ba32 1465->1468 1475 6cf6bcd5-6cf6bcec LeaveCriticalSection 1466->1475 1476 6cf6bca1-6cf6bcad 1466->1476 1471 6cf6ba38-6cf6ba5e 1468->1471 1470->1466 1473 6cf6ba64-6cf6ba67 1471->1473 1474 6cf6bb00-6cf6bb10 1471->1474 1479 6cf6bae0-6cf6bae3 1473->1479 1480 6cf6ba69-6cf6ba7c 1473->1480 1477 6cf6bb17-6cf6bb20 1474->1477 1478 6cf6bb12 1474->1478 1481 6cf6bcb0-6cf6bcc0 TlsGetValue GetLastError 1476->1481 1484 6cf6bb22-6cf6bb28 1477->1484 1485 6cf6bb3a-6cf6bb42 call 6cf6b820 1477->1485 1478->1477 1482 6cf6bbc0-6cf6bbcf 1479->1482 1483 6cf6bae9-6cf6baf9 call 6cf6b7c0 1479->1483 1486 6cf6ba82-6cf6ba84 1480->1486 1487 6cf6bc10-6cf6bc1e call 6cf6b820 1480->1487 1488 6cf6bcc2-6cf6bcc4 1481->1488 1489 6cf6bcce-6cf6bcd3 1481->1489 1491 6cf6bbd6-6cf6bbdf 1482->1491 1492 6cf6bbd1 1482->1492 1483->1474 1493 6cf6bb2e-6cf6bb34 1484->1493 1494 6cf6ba8a-6cf6baac call 6cf6b7c0 1484->1494 1504 6cf6bb49-6cf6bb52 1485->1504 1486->1487 1486->1494 1487->1504 1488->1489 1497 6cf6bcc6-6cf6bcc9 1488->1497 1489->1475 1489->1481 1500 6cf6bbf6-6cf6bc06 call 6cf6b820 1491->1500 1501 6cf6bbe1-6cf6bbe7 1491->1501 1492->1491 1493->1485 1493->1494 1494->1452 1497->1489 1500->1504 1501->1494 1505 6cf6bbed-6cf6bbf0 1501->1505 1504->1471 1508 6cf6bb58-6cf6bb63 1504->1508 1505->1494 1505->1500 1508->1441 1510 6cf6bb69-6cf6bb72 1508->1510 1511 6cf6bb78-6cf6bb88 1510->1511 1512 6cf6bba4-6cf6bbad 1511->1512 1513 6cf6bb8a-6cf6bba1 VirtualProtect 1511->1513 1512->1511 1514 6cf6bbaf-6cf6bbb6 1512->1514 1513->1512
    APIs
    Strings
    • Address %p has no image-section, xrefs: 6CF6B96B
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6CF6B957
    • Mingw-w64 runtime failure:, xrefs: 6CF6B7E8
    • VirtualProtect failed with code 0x%x, xrefs: 6CF6B926
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtualabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
    • API String ID: 2513968241-1534286854
    • Opcode ID: f0477bb2d857790883738bc70da192688e4628b7362853acb3af6fa058573e08
    • Instruction ID: 3ca98dbed79075727abcb07355afef6f23aade41b80234f883d93c4876da0858
    • Opcode Fuzzy Hash: f0477bb2d857790883738bc70da192688e4628b7362853acb3af6fa058573e08
    • Instruction Fuzzy Hash: 1B514CB19083049FDB00EF6AC984B4AFBF0FF85358F55892DE4988BB10D734D4499B92
    Function 6CF64C10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 162stringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2264 6cf64c10-6cf64c34 call 6cf6c450 2267 6cf64d90-6cf64d9a 2264->2267 2268 6cf64c3a-6cf64c3d 2264->2268 2269 6cf64da0-6cf64da2 2267->2269 2270 6cf64c43-6cf64c5c strlen 2268->2270 2271 6cf64d40-6cf64d7f strtol lstrlenA 2268->2271 2273 6cf64da4-6cf64db1 2269->2273 2274 6cf64dc1-6cf64dc3 2269->2274 2275 6cf64c62-6cf64c7c malloc 2270->2275 2276 6cf64e40-6cf64e48 2270->2276 2271->2270 2272 6cf64d85-6cf64d88 2271->2272 2272->2267 2277 6cf64db3-6cf64dbf 2273->2277 2278 6cf64dd0-6cf64dd3 2273->2278 2279 6cf64d2b-6cf64d37 2274->2279 2280 6cf64c82-6cf64cb0 mbstowcs 2275->2280 2281 6cf64e4d-6cf64e5d SetLastError 2275->2281 2277->2273 2277->2274 2278->2279 2282 6cf64dd9-6cf64de3 2278->2282 2283 6cf64cb6-6cf64cbc 2280->2283 2284 6cf64dfa-6cf64e04 2280->2284 2281->2279 2282->2269 2285 6cf64cc0-6cf64cfc _wcsnicmp 2283->2285 2284->2279 2286 6cf64e0a-6cf64e22 free 2284->2286 2287 6cf64d02-6cf64d0b 2285->2287 2288 6cf64e28 2285->2288 2290 6cf64de8-6cf64df0 2287->2290 2291 6cf64d11-6cf64d13 2287->2291 2289 6cf64e2a-6cf64e34 2288->2289 2288->2290 2293 6cf64df2-6cf64df4 2289->2293 2290->2293 2291->2289 2292 6cf64d19-6cf64d25 2291->2292 2292->2279 2292->2286 2293->2284 2293->2285
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID: #
    • API String ID: 533997002-1885708031
    • Opcode ID: 49fa58ae84383ca6a438221572a4e51f547318a3d4603871e545de1f5ffc8ba7
    • Instruction ID: aa0835a6569469fc29bc741abae617e161e28b3e0940e761d6435cfe557f9aba
    • Opcode Fuzzy Hash: 49fa58ae84383ca6a438221572a4e51f547318a3d4603871e545de1f5ffc8ba7
    • Instruction Fuzzy Hash: 6B519271A083158FC710EF2AD09069ABBE5FFC8308F51892EE998D7B40E730D945CB92
    Function 6CF66058 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 45COMMON
    Download Yara Rule
    APIs
    Strings
    • runtime: failed to signal runtime initialization complete., xrefs: 6CF660E8
    • unexpected cgo_bindm on Windows, xrefs: 6CF66070
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabort$Event
    • String ID: runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
    • API String ID: 123483900-760755518
    • Opcode ID: d3aacf3c6f63635434be26ce32deb8a0320e24907d5d14fd7562c60b82f2e7dd
    • Instruction ID: 994990cbbbccaab24769c96146a2cfd6725300efcf05047eadc83ba9e4e4ca13
    • Opcode Fuzzy Hash: d3aacf3c6f63635434be26ce32deb8a0320e24907d5d14fd7562c60b82f2e7dd
    • Instruction Fuzzy Hash: E51189B1848650CFEB00BFB8C60E75DBAB0BB46305F814A6CD88557A06EB34A599CB53
    Function 6CF6B980 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 226COMMON
    Download Yara Rule
    Strings
    • %d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6CF6BAA0
    • Unknown pseudo relocation bit size %d., xrefs: 6CF6BAED
    • Unknown pseudo relocation protocol version %d., xrefs: 6CF6BC73
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
    • API String ID: 0-1286557213
    • Opcode ID: 9c86117ee2c805c4c8485c9327f1451eab32cb69c8a0b64ca5eba3ea3a6962eb
    • Instruction ID: 9703927cca2385d93a28b1a68b626a17aa18434a4276125b2e81115941a26bfa
    • Opcode Fuzzy Hash: 9c86117ee2c805c4c8485c9327f1451eab32cb69c8a0b64ca5eba3ea3a6962eb
    • Instruction Fuzzy Hash: B791A072D04216DFDB10EF6AC980B9EB7B5FF45308F188A69E8549BB04D330A945DBD2
    Function 6CF65156 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 206memoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: Heap$AllocInfoNativeProcessReadSystemmemcpymemsetrealloc
    • String ID: @
    • API String ID: 3801555102-2766056989
    • Opcode ID: 4ec469b364f44c527d95a14d7d3d9fe3feedc40164f0389f41646e9da410f62a
    • Instruction ID: dade52ed97ea7e5b33cb76126ed8c869b7ecdd15e98c42af49a20eb991f51a26
    • Opcode Fuzzy Hash: 4ec469b364f44c527d95a14d7d3d9fe3feedc40164f0389f41646e9da410f62a
    • Instruction Fuzzy Hash: 83A1D2B4A097469FC710CF2AC58474AFBE0BF88318F54892DE89997B01E774E955CF82
    Function 6CF668E0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: memset
    • String ID: 0$o
    • API String ID: 2221118986-4157579757
    • Opcode ID: ebefbe6945bd7e9b28a0da70524577bbcc1c22ea509cf173d45d016b6e072430
    • Instruction ID: 2ae164045f9f9f7be43a1a26cdd5c6f88b651f1fd9970e9ab436c88a5897bb54
    • Opcode Fuzzy Hash: ebefbe6945bd7e9b28a0da70524577bbcc1c22ea509cf173d45d016b6e072430
    • Instruction Fuzzy Hash: 08F16371A04609CFCB05CF6AC48079DBBF2BF89364F198229E894EBB51D734E945CB90
    Function 6CED13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 081ebe9bfc50cb5fc3187f6bf1b8e856d147a5deb536ee1b1d52757e91f142ad
    • Instruction ID: 75656bb3c86712d3e4ebe88de4e767fe4c200dcdedef2214729799691eafed2f
    • Opcode Fuzzy Hash: 081ebe9bfc50cb5fc3187f6bf1b8e856d147a5deb536ee1b1d52757e91f142ad
    • Instruction Fuzzy Hash: 40012CB2909350DBD710BFF8AA0A31EBFB4AB46265F12452ED98987714D730D445CBA3
    Function 6CF68050 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: _errno
    • String ID: @$Inf$NaN
    • API String ID: 2918714741-141429178
    • Opcode ID: e9a814925ff53a41f327a8b5b5b3144b0f7ed436ed1556fd0abadcc2a5e30f99
    • Instruction ID: 9c1ee3dc33b9685fded04fffe8c9df4ed0568f1ca046c04bbad07ef736014ded
    • Opcode Fuzzy Hash: e9a814925ff53a41f327a8b5b5b3144b0f7ed436ed1556fd0abadcc2a5e30f99
    • Instruction Fuzzy Hash: 61F1C57160C3818BD7218F26C49079BBBE1BF87318F158A1ED9DC97B81D735990ACB82
    Function 6CF66E50 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 0$@
    • API String ID: 0-1545510068
    • Opcode ID: db53b3412e21b14b64fd966cdfaba44a868fe3b057c10bed8708d4ee68713ec0
    • Instruction ID: 2fa3b3fc49db31e2e5bdd1baa9b71ddd5709f232d815082895f24283b444c697
    • Opcode Fuzzy Hash: db53b3412e21b14b64fd966cdfaba44a868fe3b057c10bed8708d4ee68713ec0
    • Instruction Fuzzy Hash: EFC18F72E142159BDB04CF6EC48078EBBF1BF89318F15825AEC94ABB85D375E845CB90
    Function 6CF6CD90 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleModule
    • String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
    • API String ID: 667068680-1145701848
    • Opcode ID: 2021ab191d6a2c74d9396c0dd9fc96bfa589466a03929d8f3b9d2c92471ad3dd
    • Instruction ID: a711d4b388967557be07aa39ccb5fcbc4cb3e2d35b5a9db2902d860ccd327200
    • Opcode Fuzzy Hash: 2021ab191d6a2c74d9396c0dd9fc96bfa589466a03929d8f3b9d2c92471ad3dd
    • Instruction Fuzzy Hash: 06F06DF19892208BAF00BF7D9E0675A7EF4AA09250F10453AD895CBA04E734D489CBA3
    Function 6CED1020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CED1281,?,?,?,?,?,?,6CED13AE), ref: 6CED1057
    • _amsg_exit.MSVCRT ref: 6CED1086
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: e867a5c151efb1546ed0371b93ffc06212b1fbc0297b0e3e7b33664e5cbd1c8c
    • Instruction ID: 44c048f2db77ece89a45f0132baccdfd176e9263ce433f0263ed62b92bc67dc2
    • Opcode Fuzzy Hash: e867a5c151efb1546ed0371b93ffc06212b1fbc0297b0e3e7b33664e5cbd1c8c
    • Instruction Fuzzy Hash: 2F31B7B1A09241CBDB00BFE9C68471A77F0EB8635CF22842CD4548BB00D771E486DB93
    Function 6CF64E70 Relevance: 7.6, APIs: 5, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6CF64ECF
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CF65DAF), ref: 6CF64F0F
    • malloc.MSVCRT ref: 6CF64F44
    • qsort.MSVCRT ref: 6CF64FB4
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: 87e8545dfbd93a8eab8fdf87f60635cf919623fbf42468c78cf03f6afc8ba726
    • Instruction ID: 68af77a5e6465fd6566fa0a6b6cc25771f7270922ed901b363041242d7f13890
    • Opcode Fuzzy Hash: 87e8545dfbd93a8eab8fdf87f60635cf919623fbf42468c78cf03f6afc8ba726
    • Instruction Fuzzy Hash: BA419C716083008FD710EF2AD49061BBBF1FF89718F558A2DE8899BB50E775E845CB82
    Function 6CF659F0 Relevance: 7.6, APIs: 5, Instructions: 84threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastLocaleThread
    • String ID:
    • API String ID: 1348403374-0
    • Opcode ID: 8ec1f5461d211dce32ce072cb2ae9926e461feaf0d2d529afce2737951346359
    • Instruction ID: 9ad84d53cc303c29d340ea9e198fbe38b78c185520f63db3f1e3cd4ebf4cc9f7
    • Opcode Fuzzy Hash: 8ec1f5461d211dce32ce072cb2ae9926e461feaf0d2d529afce2737951346359
    • Instruction Fuzzy Hash: 4921A771614200CFD704EF3AD984657B7F5BF89318F188628E5A9C7B81EB34E4558B92
    Function 6CF6C7C0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 01cfb712d85b6e4d619ce68922cd4ea2a4d205ce6739300ed457df455a6d115e
    • Instruction ID: cedb39a88f48dc94d64e94a736629984bdf9892d80a4eb88d3f0d90c7ec67895
    • Opcode Fuzzy Hash: 01cfb712d85b6e4d619ce68922cd4ea2a4d205ce6739300ed457df455a6d115e
    • Instruction Fuzzy Hash: DF114C715042518FDB50AF3AC48075ABBE0AF49718F15C569D8D8CFB45EB34C844CBA2
    Function 6CF65FC0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6CF65FF0
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CF646F9), ref: 6CF65FFC
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CF646F9), ref: 6CF6600E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CF646F9), ref: 6CF6601E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CF646F9), ref: 6CF66030
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 9fd42e22b0b76cffa9f391b3e0929d89ff1107a7b01ec0941702120dcf892f56
    • Instruction ID: e6e271cabbcd4d68fb6be8221afed403dd9025e1959baa4c2b869fa1f5a67081
    • Opcode Fuzzy Hash: 9fd42e22b0b76cffa9f391b3e0929d89ff1107a7b01ec0941702120dcf892f56
    • Instruction Fuzzy Hash: 7A01B5B1508704CFDB00FF7DC68AA1ABBF4AF86214F01463DE89043A05E730A468CB93
    Function 6CF65CF0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessage
    • String ID: Erro: %s
    • API String ID: 1365068426-2412703935
    • Opcode ID: f88418cb8a2a5eaa31c49efff7f9720a4951a0e3bed9cd5fb39c4250134fe0a4
    • Instruction ID: 8af78bd633a9467cce2cf76e45ef3f6981f19e415748998ae75ec2f69f336076
    • Opcode Fuzzy Hash: f88418cb8a2a5eaa31c49efff7f9720a4951a0e3bed9cd5fb39c4250134fe0a4
    • Instruction Fuzzy Hash: 46014DB05083019FE700AF65D68971EBBF0BB88349F50891DE89897655D7798189CF93
    Function 6CF65E90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6CF65EB2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CF65F65), ref: 6CF65ECB
    • abort.MSVCRT ref: 6CF65EF5
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6CF65EE5
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabort
    • String ID: runtime: failed to create runtime initialization wait event.
    • API String ID: 3843693739-3277801083
    • Opcode ID: 0a22160910d90a86ca964345076a4269486d234a7c9045ad6a01fba419e6f37a
    • Instruction ID: f3f6ee0c81b9c30323c208934be7d84bcd0b642389e79a67261f46b3af14f7d5
    • Opcode Fuzzy Hash: 0a22160910d90a86ca964345076a4269486d234a7c9045ad6a01fba419e6f37a
    • Instruction Fuzzy Hash: 12F03AB0809711DBEB00BF79C61975EBBF0BB41345F81896CD48987A42EB79D0588B93
    Function 6CF6C8F0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
    Download Yara Rule
    APIs
    • IsDBCSLeadByteEx.KERNEL32 ref: 6CF6C942
    • MultiByteToWideChar.KERNEL32 ref: 6CF6C985
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: Byte$CharLeadMultiWide
    • String ID:
    • API String ID: 2561704868-0
    • Opcode ID: b62b4601c3bbfa99d7bf0ff31d15ab5816f20ab4804c97ffbfd52945b4ada8d7
    • Instruction ID: 432f927e84517602647a0deae625bd337ad117c39c7b3b99474a98eb27fc2552
    • Opcode Fuzzy Hash: b62b4601c3bbfa99d7bf0ff31d15ab5816f20ab4804c97ffbfd52945b4ada8d7
    • Instruction Fuzzy Hash: 3B31E5B15093418FDB00EF2AD58474ABBF0BF8A358F14891EE8D587A50D776D948CB53
    Function 6CF666A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: fputc
    • String ID: NaN
    • API String ID: 1992160199-1757892521
    • Opcode ID: cf7614440ec6851ca82ea40031330610d20ebf86e678fa2553d9f1a1c36698a7
    • Instruction ID: 7b24d9b48f3726ae3768deb8eaf26a69581472959dde7dd1f64712f346d7c998
    • Opcode Fuzzy Hash: cf7614440ec6851ca82ea40031330610d20ebf86e678fa2553d9f1a1c36698a7
    • Instruction Fuzzy Hash: 244108B5A05215CBDB10CF1AC484746B7E1AF85708F2983A9EC58CFB4AD736D846CB90
    Function 6CF64FE0 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: b34db4243161b4f53d214387d3c61f414f218c68661b72ab82919242da88aeaf
    • Instruction ID: f511da9eaffa52688ed9a67d9be0d21313665c07ecf0c534e6092cbfff4aba81
    • Opcode Fuzzy Hash: b34db4243161b4f53d214387d3c61f414f218c68661b72ab82919242da88aeaf
    • Instruction Fuzzy Hash: 3021E6B06053019BDB00AF66C5D4B1ABBF0BF84304F55C96DD8899B70AD735D885CF91
    Function 6CF6A850 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,?,6CF6A971,?,?,?,?,?,?,00000000,6CF68C14), ref: 6CF6A877
    • InitializeCriticalSection.KERNEL32(?,?,?,?,6CF6A971,?,?,?,?,?,?,00000000,6CF68C14), ref: 6CF6A8B4
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,6CF6A971,?,?,?,?,?,?,00000000,6CF68C14), ref: 6CF6A8C0
    • EnterCriticalSection.KERNEL32(?,?,?,?,6CF6A971,?,?,?,?,?,?,00000000,6CF68C14), ref: 6CF6A8E8
    Memory Dump Source
    • Source File: 00000011.00000002.1500447358.000000006CED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CED0000, based on PE: true
    • Associated: 00000011.00000002.1500346875.000000006CED0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500749992.000000006CF6D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500869183.000000006CF6E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1500937497.000000006CF72000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501023876.000000006CF74000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501320061.000000006D01D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D023000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501403238.000000006D028000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501601706.000000006D03B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501688601.000000006D042000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501766411.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.1501867576.000000006D046000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ced0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$Initialize$EnterSleep
    • String ID:
    • API String ID: 1117354567-0
    • Opcode ID: ee3fd9d2faa259be3831237c76f3cfafd145e4bfba4ed7702e323ac372e2fc2b
    • Instruction ID: 7c97cf34ee9d51378d1dddd13ed803dd768f9d68280494e231edb5c131c4b797
    • Opcode Fuzzy Hash: ee3fd9d2faa259be3831237c76f3cfafd145e4bfba4ed7702e323ac372e2fc2b
    • Instruction Fuzzy Hash: B7115BB1C45124CAEB00BB3A9686B5A77F4AB46354F210979C852C7B05E731D4EAC793