Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
d4Jre2L0d7.dll

Overview

General Information

Sample name:d4Jre2L0d7.dll
renamed because original name is a hash value
Original sample name:25a0e1f9fb3348f374f9a4726d81a33a0e5f55774dbdf25dc770867cd213b73c.dll
Analysis ID:1544806
MD5:3e5c72ddd38e6c98341eb83146c2329f
SHA1:29f6591666f9ab9f3b37ada5c80f979f48afba5b
SHA256:25a0e1f9fb3348f374f9a4726d81a33a0e5f55774dbdf25dc770867cd213b73c
Tags:2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6460 cmdline: loaddll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 4256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1540 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 6848 cmdline: rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 1916 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 868 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 4328 cmdline: rundll32.exe C:\Users\user\Desktop\d4Jre2L0d7.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 5776 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 832 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 2196 cmdline: rundll32.exe C:\Users\user\Desktop\d4Jre2L0d7.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6108 cmdline: rundll32.exe C:\Users\user\Desktop\d4Jre2L0d7.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2128 cmdline: rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 2616 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 824 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 4372 cmdline: rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6704 cmdline: rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4924 cmdline: rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3360 cmdline: rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SpellSpell MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1916 cmdline: rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SpellInit MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1056 cmdline: rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SpellFree MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5448 cmdline: rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6620 cmdline: rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5608 cmdline: rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability

Bitcoin Miner

barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D131830 4_2_6D131830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD61830 13_2_6CD61830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD61830 17_2_6CD61830
Source: d4Jre2L0d7.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: d4Jre2L0d7.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax4_2_6D102CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax4_2_6D102CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx4_2_6D11CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh4_2_6D129030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh4_2_6D12A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax13_2_6CD32CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax13_2_6CD32CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx13_2_6CD4CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh13_2_6CD59030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh13_2_6CD5A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax17_2_6CD32CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax17_2_6CD32CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx17_2_6CD4CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh17_2_6CD59030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh17_2_6CD5A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D131A70 NtCreateWaitCompletionPacket,4_2_6D131A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D132A90 NtCreateWaitCompletionPacket,4_2_6D132A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D131570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,4_2_6D131570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1311F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,4_2_6D1311F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD62A90 NtCreateWaitCompletionPacket,13_2_6CD62A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD61A70 NtCreateWaitCompletionPacket,13_2_6CD61A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD61570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,13_2_6CD61570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD611F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,13_2_6CD611F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD62A90 NtCreateWaitCompletionPacket,17_2_6CD62A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD61A70 NtCreateWaitCompletionPacket,17_2_6CD61A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD61570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,17_2_6CD61570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD611F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,17_2_6CD611F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D184D204_2_6D184D20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D12AD504_2_6D12AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D15BC204_2_6D15BC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D186C204_2_6D186C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D102CA04_2_6D102CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D102CA64_2_6D102CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D194F304_2_6D194F30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D13CF904_2_6D13CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D192E704_2_6D192E70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D10BE904_2_6D10BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D155ED04_2_6D155ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D17CEF04_2_6D17CEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1859D04_2_6D1859D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D12D9C54_2_6D12D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1159F04_2_6D1159F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D16A8724_2_6D16A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D12BB104_2_6D12BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D10FBC04_2_6D10FBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D12CA304_2_6D12CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D110AF04_2_6D110AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1585704_2_6D158570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1825604_2_6D182560
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1895A04_2_6D1895A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1234004_2_6D123400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1214404_2_6D121440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1464704_2_6D146470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D17E7404_2_6D17E740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1867404_2_6D186740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1266304_2_6D126630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D12C6D04_2_6D12C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D15D6E04_2_6D15D6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1360104_2_6D136010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D12D0404_2_6D12D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D12C0804_2_6D12C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1180A04_2_6D1180A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1090F04_2_6D1090F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D13A3204_2_6D13A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D16332F4_2_6D16332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1293F04_2_6D1293F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1932304_2_6D193230
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D13E2404_2_6D13E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1672804_2_6D167280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1032A04_2_6D1032A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D12B2D04_2_6D12B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD32CA013_2_6CD32CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD32CA613_2_6CD32CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD8BC2013_2_6CD8BC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDB6C2013_2_6CDB6C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD5AD5013_2_6CD5AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDB4D2013_2_6CDB4D20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD85ED013_2_6CD85ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDACEF013_2_6CDACEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD3BE9013_2_6CD3BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDC2E7013_2_6CDC2E70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD6CF9013_2_6CD6CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDC4F3013_2_6CDC4F30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD9A87213_2_6CD9A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDB59D013_2_6CDB59D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD5D9C513_2_6CD5D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD459F013_2_6CD459F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD40AF013_2_6CD40AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD5CA3013_2_6CD5CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD3FBC013_2_6CD3FBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD5BB1013_2_6CD5BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD5144013_2_6CD51440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD7647013_2_6CD76470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD5340013_2_6CD53400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDB95A013_2_6CDB95A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD8857013_2_6CD88570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDB256013_2_6CDB2560
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD5C6D013_2_6CD5C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD8D6E013_2_6CD8D6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD5663013_2_6CD56630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDAE74013_2_6CDAE740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDB674013_2_6CDB6740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD390F013_2_6CD390F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD5C08013_2_6CD5C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD480A013_2_6CD480A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD5D04013_2_6CD5D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD6601013_2_6CD66010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD5B2D013_2_6CD5B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD9728013_2_6CD97280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD332A013_2_6CD332A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD6E24013_2_6CD6E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDC323013_2_6CDC3230
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD593F013_2_6CD593F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD6A32013_2_6CD6A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD9332F13_2_6CD9332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD32CA017_2_6CD32CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD32CA617_2_6CD32CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD8BC2017_2_6CD8BC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDB6C2017_2_6CDB6C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD5AD5017_2_6CD5AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDB4D2017_2_6CDB4D20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD85ED017_2_6CD85ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDACEF017_2_6CDACEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD3BE9017_2_6CD3BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDC2E7017_2_6CDC2E70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD6CF9017_2_6CD6CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDC4F3017_2_6CDC4F30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD9A87217_2_6CD9A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDB59D017_2_6CDB59D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD5D9C517_2_6CD5D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD459F017_2_6CD459F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD40AF017_2_6CD40AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD5CA3017_2_6CD5CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD3FBC017_2_6CD3FBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD5BB1017_2_6CD5BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD5144017_2_6CD51440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD7647017_2_6CD76470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD5340017_2_6CD53400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDB95A017_2_6CDB95A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD8857017_2_6CD88570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDB256017_2_6CDB2560
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD5C6D017_2_6CD5C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD8D6E017_2_6CD8D6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD5663017_2_6CD56630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDAE74017_2_6CDAE740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDB674017_2_6CDB6740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD390F017_2_6CD390F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD5C08017_2_6CD5C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD480A017_2_6CD480A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD5D04017_2_6CD5D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD6601017_2_6CD66010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD5B2D017_2_6CD5B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD9728017_2_6CD97280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD332A017_2_6CD332A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD6E24017_2_6CD6E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDC323017_2_6CDC3230
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD593F017_2_6CD593F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD6A32017_2_6CD6A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD9332F17_2_6CD9332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D137410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CD96A90 appears 962 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D166A90 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CD63B30 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CD65080 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CD95740 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CD32C30 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CD67410 appears 1386 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 868
Source: d4Jre2L0d7.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engineClassification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D195B30 GetLastError,FormatMessageA,fprintf,LocalFree,4_2_6D195B30
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4256:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\65aa33f1-e5e7-477b-a9b5-35c4286b13fdJump to behavior
Source: d4Jre2L0d7.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\d4Jre2L0d7.dll,BarCreate
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\d4Jre2L0d7.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 868
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 832
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\d4Jre2L0d7.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\d4Jre2L0d7.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 824
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\d4Jre2L0d7.dll,BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\d4Jre2L0d7.dll,BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\d4Jre2L0d7.dll,BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",_cgo_dummy_exportJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SpellSpellJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 868Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SpellFreeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SignalInitializeCrashReportingJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",GetInstallDetailsPayloadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarRecognizeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: d4Jre2L0d7.dllStatic PE information: Image base 0x6d8c0000 > 0x60000000
Source: d4Jre2L0d7.dllStatic file information: File size 1368576 > 1048576
Source: d4Jre2L0d7.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1013E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,4_2_6D1013E0
Source: d4Jre2L0d7.dllStatic PE information: real checksum: 0x1509e8 should be: 0x15b14c
Source: d4Jre2L0d7.dllStatic PE information: section name: .eh_fram
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0143AF38 push eax; retf 0_2_0143AF39
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0148043F pushfd ; iretd 0_2_01480443
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D175094 pushad ; ret 4_2_6D175095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D17509D pushad ; ret 4_2_6D17509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0483D7FF push cs; retf 5_2_0483D815
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04880891 push eax; iretd 5_2_04880894
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0443D82C push 00000046h; retf 12_2_0443D830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDA509D pushad ; ret 13_2_6CDA509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDA5094 pushad ; ret 13_2_6CDA5095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0503D800 push es; iretd 15_2_0503D803
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0503C8CB push ebp; iretd 15_2_0503C8E1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0508036C push eax; ret 15_2_0508036E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDA509D pushad ; ret 17_2_6CDA509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDA5094 pushad ; ret 17_2_6CDA5095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_0503AF38 push eax; retf 20_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0503C3AB pushfd ; retf 21_2_0503C3AC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_0503AF38 push eax; retf 22_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_050803A0 push ebx; retf 22_2_050803B6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_0503AF38 push eax; retf 23_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0443CD73 push 00000045h; ret 24_2_0443CDD7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0443D7F6 pushad ; retf 24_2_0443D800
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0443C8F9 push 00000045h; ret 24_2_0443CDD7
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D16C0C0 rdtscp 4_2_6D16C0C0
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D16C0C0 rdtscp 4_2_6D16C0C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1013E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,4_2_6D1013E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D194F30 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,memset,IsBadReadPtr,realloc,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,memcpy,SetLastError,SetLastError,SetLastError,SetLastError,4_2_6D194F30
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D196300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,4_2_6D196300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1962FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,4_2_6D1962FC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDC62FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,13_2_6CDC62FC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CDC6300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,13_2_6CDC6300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDC62FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,17_2_6CDC62FC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CDC6300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,17_2_6CDC6300
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D196250 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,4_2_6D196250
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D131C90 RtlGetVersion,RtlGetCurrentPeb,4_2_6D131C90

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		11
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory3
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS3
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544806 Sample: d4Jre2L0d7.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->29 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
d4Jre2L0d7.dll5%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1544806
Start date and time:2024-10-29 19:12:20 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 7m 0s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:28
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:d4Jre2L0d7.dll
renamed because original name is a hash value
Original Sample Name:25a0e1f9fb3348f374f9a4726d81a33a0e5f55774dbdf25dc770867cd213b73c.dll
Detection:MAL
Classification:mal48.mine.winDLL@35/0@0/0
EGA Information:
  • Successful, ratio: 20%
HCA Information:
  • Successful, ratio: 67%
  • Number of executed functions: 6
  • Number of non-executed functions: 117
Cookbook Comments:
  • Found application associated with file extension: .dll

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target loaddll32.exe, PID 6460 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 1056 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 1916 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 2196 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 3360 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 4372 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 5448 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 5608 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6108 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6620 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6704 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6848 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: d4Jre2L0d7.dll

Simulations

Behavior and APIs

TimeTypeDescription
14:13:25API Interceptor1x Sleep call for process: loaddll32.exe modified
19:13:06Task SchedulerRun new task: {1977B557-6744-45E5-A76A-C353FB8C3EDF} path: .

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):6.272674879937818
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:d4Jre2L0d7.dll
File size:1'368'576 bytes
MD5:3e5c72ddd38e6c98341eb83146c2329f
SHA1:29f6591666f9ab9f3b37ada5c80f979f48afba5b
SHA256:25a0e1f9fb3348f374f9a4726d81a33a0e5f55774dbdf25dc770867cd213b73c
SHA512:e2dd5638fbb33b2eb45c93648c2b6766d9c0e995d6d1b3525d2b2f3bb0c6e18054a0e4d9323a4d190a1f3c4cef0daa7132982a019982c3beac3459cbe964656f
SSDEEP:24576:jmP2RxDHnfLGclUfeVuT+WD/7QBpu2eoBt4dN6G02nMdX:jpSsSDXfe
TLSH:B9551900FD8784F1E4032632856B62AF2325AD1A1F31DBC7FB54BA79FA776D50932285
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....d.......H.................m......................................@... .........................-..

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x6d8c1380
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x6d8c0000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:0x6d9563e0, 0x6d956390
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:47d9e8363ec498a9360ee0a7da269805

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [6DA2C730h], 00000000h
mov edx, dword ptr [esp+24h]
cmp edx, 01h
je 00007F1960B20B5Ch
mov ecx, dword ptr [esp+28h]
mov eax, dword ptr [esp+20h]
call 00007F1960B209C2h
add esp, 1Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
mov dword ptr [esp+0Ch], edx
call 00007F1960BB59DCh
mov edx, dword ptr [esp+0Ch]
jmp 00007F1960B20B19h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 6DA08000h
mov dword ptr [esp+04h], eax
call 00007F1960BB682Eh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 6D95F000h
call dword ptr [6DA2E21Ch]
sub esp, 04h
test eax, eax
je 00007F1960B20BB5h
mov ebx, eax
mov dword ptr [esp], 6D95F000h
call dword ptr [6DA2E264h]
mov edi, dword ptr [6DA2E224h]
sub esp, 04h
mov dword ptr [6DA2C764h], eax
mov dword ptr [esp+04h], 6D95F013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 6D95F029h
mov dword ptr [esp], ebx
call edi
mov dword ptr [6D958000h], eax
sub esp, 08h
test esi, esi
je 00007F1960B20B53h
mov dword ptr [esp+00h], 00000000h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x16d0000x12d.edata
IMAGE_DIRECTORY_ENTRY_IMPORT0x16e0000xb78.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1710000x868c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x144fd00x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x16e1cc0x190.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x962a80x964005bc3a1ac6a4b04c490992ee7ad7a1c98False0.4698110570923461data6.2824946074759485IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x980000x67c80x6800d75b22eed76d909e73677b05429662b1False0.4201096754807692data4.441134422818352IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0x9f0000xa63a00xa6400eacad240891e57ac4de426d3728dae7cFalse0.43175810620300753data5.596171465349414IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram0x1460000x12740x140085e22b3e84813337ea1a67b904c6bbcdFalse0.3369140625data4.565839626312234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss0x1480000x2477c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata0x16d0000x12d0x20067859e1c9d81f1d2bdf6b531a2016f52False0.44921875data3.400613123216997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata0x16e0000xb780xc00cb8eb4a241279d6fed66c3ea8ecac795False0.3961588541666667data5.12056831676781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT0x16f0000x2c0x200db151290603a2662b590a75b7e0b0988False0.0546875data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0x1700000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x1710000x868c0x880065fe8d0425bf75b2ebd0135b4f239ae6False0.66650390625data6.630808778096326IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllAddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetLastError, GetModuleHandleA, GetNativeSystemInfo, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadLocale, GetTickCount, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, PostQueuedCompletionStatus, QueryPerformanceCounter, RaiseFailFastException, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TerminateProcess, TlsAlloc, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WriteConsoleW, WriteFile, lstrlenA
msvcrt.dll_amsg_exit, _beginthread, _errno, _initterm, _iob, _lock, _unlock, _wcsnicmp, abort, bsearch, calloc, fprintf, free, fwrite, malloc, mbstowcs, memcpy, memset, qsort, realloc, strcmp, strlen, strncmp, strtol, vfprintf, wcstombs

Exports

NameOrdinalAddress
BarCreate10x6d9545d0
BarDestroy20x6d954850
BarFreeRec30x6d954800
BarRecognize40x6d9547b0
GetInstallDetailsPayload50x6d954710
SignalInitializeCrashReporting60x6d954760
SpellFree70x6d954620
SpellInit80x6d954670
SpellSpell90x6d9546c0
_cgo_dummy_export100x6da2c768

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:14:13:15
Start date:29/10/2024
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll"
Imagebase:0x950000
File size:126'464 bytes
MD5 hash:51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:14:13:15
Start date:29/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:14:13:15
Start date:29/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",#1
Imagebase:0x1c0000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:14:13:15
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\d4Jre2L0d7.dll,BarCreate
Imagebase:0x3a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:5
Start time:14:13:15
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",#1
Imagebase:0x3a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:14:13:15
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 868
Imagebase:0x140000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:10
Start time:14:13:15
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 832
Imagebase:0x140000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:11
Start time:14:13:18
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\d4Jre2L0d7.dll,BarDestroy
Imagebase:0x3a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:12
Start time:14:13:21
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\d4Jre2L0d7.dll,BarFreeRec
Imagebase:0x3a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:13
Start time:14:13:24
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarCreate
Imagebase:0x3a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:14
Start time:14:13:24
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarDestroy
Imagebase:0x3a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:15
Start time:14:13:24
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarFreeRec
Imagebase:0x3a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:17
Start time:14:13:24
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",_cgo_dummy_export
Imagebase:0x3a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:18
Start time:14:13:24
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 824
Imagebase:0x140000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:19
Start time:14:13:24
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SpellSpell
Imagebase:0x3a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:20
Start time:14:13:24
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SpellInit
Imagebase:0x3a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:21
Start time:14:13:24
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SpellFree
Imagebase:0x3a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:22
Start time:14:13:24
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",SignalInitializeCrashReporting
Imagebase:0x3a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:23
Start time:14:13:24
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",GetInstallDetailsPayload
Imagebase:0x3a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:24
Start time:14:13:25
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\d4Jre2L0d7.dll",BarRecognize
Imagebase:0x3a0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:11
    Total number of Limit Nodes:1
    execution_graph 52840 6d16cea0 52841 6d16cec8 WriteFile 52840->52841 52842 6d16ceb9 52840->52842 52842->52841 52843 6d195fb0 52844 6d195fc7 _beginthread 52843->52844 52845 6d195fe1 _errno 52844->52845 52846 6d196012 52844->52846 52847 6d195fe8 _errno 52845->52847 52848 6d196020 Sleep 52845->52848 52850 6d195ff9 fprintf abort 52847->52850 52848->52844 52849 6d196034 52848->52849 52849->52847 52850->52846

    Executed Functions

    Function 6D195FB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6D195FF9
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabortfprintf
    • String ID: runtime: failed to create new OS thread (%d)
    • API String ID: 1261927973-3231778263
    • Opcode ID: 2013b2cfbe28900a1e8a18e099d80bed2f204b56983cee3137b0e54b77a88806
    • Instruction ID: d03849a60a5da3901a2b5f1ed10bf2eb1095edd74f38ad47240efe40e77a00f0
    • Opcode Fuzzy Hash: 2013b2cfbe28900a1e8a18e099d80bed2f204b56983cee3137b0e54b77a88806
    • Instruction Fuzzy Hash: DD016D74809315DFD7007FA8D88862EBBB4FF86724F06851DE5898B254C7B09440EAA3
    Function 6D16CEA0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 6d16cea0-6d16ceb7 9 6d16cec8-6d16cee0 WriteFile 8->9 10 6d16ceb9-6d16cec6 8->10 10->9
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: 66002eede875ce2b10caf7283ed8bcb717c84d007a6e23224d970b6cb5df913e
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 8BE0E571505640CFCB15DF18C2C1316BBF1EB48A00F0485A8DE098F74AD774ED10CB92

    Non-executed Functions

    Function 6D194F30 Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 564memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 305 6d194f30-6d194f42 306 6d194f48-6d194f54 305->306 307 6d195350-6d19536e SetLastError 305->307 308 6d194f5a-6d194f71 306->308 309 6d195330-6d19533f SetLastError 306->309 308->307 311 6d194f77-6d194f88 308->311 310 6d195342-6d19534e 309->310 311->309 312 6d194f8e-6d194f98 311->312 312->309 313 6d194f9e-6d194fa7 312->313 313->309 314 6d194fad-6d194fbb 313->314 315 6d194fc1-6d194fc3 314->315 316 6d195710-6d195712 314->316 317 6d194fc5-6d194fe3 315->317 317->317 318 6d194fe5-6d19500f GetNativeSystemInfo 317->318 318->309 319 6d195015-6d195047 318->319 321 6d19504d-6d195073 GetProcessHeap HeapAlloc 319->321 322 6d195370-6d1953a3 319->322 323 6d195079-6d1950e4 321->323 324 6d195731-6d19576a SetLastError 321->324 322->321 329 6d1953a9-6d1953bb SetLastError 322->329 325 6d1950ea-6d19515c memcpy 323->325 326 6d1953c0-6d1953cd SetLastError 323->326 324->310 334 6d1951ea-6d1951f5 325->334 335 6d195162-6d195164 325->335 330 6d1953d0-6d1953e6 call 6d194e50 326->330 329->310 336 6d1951fb-6d19520a 334->336 337 6d195660-6d19566a 334->337 338 6d195166-6d19516b 335->338 341 6d195210-6d19521e 336->341 342 6d195472-6d19549a 336->342 339 6d1956eb-6d1956ee 337->339 340 6d19566c-6d195680 337->340 343 6d195171-6d19517a 338->343 344 6d1953f0-6d1953fc 338->344 345 6d195682-6d19568e 340->345 346 6d1956e6 340->346 348 6d195220-6d19523a IsBadReadPtr 341->348 349 6d19549c-6d19549f 342->349 350 6d1954b0-6d1954c8 342->350 351 6d19517c-6d1951a8 343->351 352 6d1951ce-6d1951dc 343->352 344->326 347 6d1953fe-6d195426 344->347 354 6d195690-6d19569b 345->354 346->339 347->330 369 6d195428-6d195455 memcpy 347->369 355 6d195470 348->355 356 6d195240-6d195249 348->356 357 6d1956ff-6d195704 349->357 358 6d1954a5-6d1954a8 349->358 359 6d1954ce-6d1954e6 350->359 360 6d1957a6-6d1957aa 350->360 351->330 374 6d1951ae-6d1951c9 memset 351->374 352->338 353 6d1951de-6d1951e6 352->353 353->334 361 6d19569d-6d19569f 354->361 362 6d1956d2-6d1956dc 354->362 355->342 356->355 364 6d19524f-6d195264 356->364 357->350 358->350 365 6d1954aa-6d1954af 358->365 367 6d195541-6d19554d 359->367 373 6d1957b3-6d1957c3 SetLastError 360->373 368 6d1956a0-6d1956ad 361->368 362->354 372 6d1956de-6d1956e2 362->372 382 6d19526a-6d195285 realloc 364->382 383 6d19576f-6d19577f SetLastError 364->383 365->350 370 6d19555a-6d19555e 367->370 371 6d19554f-6d195555 367->371 375 6d1956af-6d1956c0 368->375 376 6d1956c3-6d1956d0 368->376 380 6d19556a-6d19557b 370->380 381 6d195560-6d195568 370->381 377 6d1955a0-6d1955a6 371->377 378 6d195557 371->378 372->346 373->330 374->352 375->376 376->362 376->368 377->370 387 6d1955a8-6d1955ab 377->387 378->370 385 6d19557d-6d195583 380->385 386 6d195585 380->386 381->380 384 6d1954f0-6d1954ff call 6d1949e0 381->384 389 6d19528b-6d1952b5 382->389 390 6d195784-6d1957a1 SetLastError 382->390 383->330 398 6d195720-6d195724 384->398 399 6d195505-6d195514 384->399 385->386 391 6d19558a-6d195596 385->391 386->391 387->370 393 6d1952e8-6d1952f4 389->393 394 6d1952b7 389->394 390->330 395 6d195518-6d195530 391->395 396 6d1952c0-6d1952d6 393->396 397 6d1952f6-6d195307 393->397 403 6d195460-6d195465 394->403 400 6d1955b0-6d1955c9 call 6d1949e0 395->400 401 6d195532-6d19553d 395->401 409 6d195309-6d195326 SetLastError 396->409 410 6d1952d8-6d1952e2 396->410 397->409 397->410 398->330 399->395 400->330 408 6d1955cf-6d1955d9 400->408 401->367 403->348 411 6d1955db-6d1955e4 408->411 412 6d195613-6d195618 408->412 409->330 410->393 410->403 411->412 413 6d1955e6-6d1955ea 411->413 415 6d19561e-6d195629 412->415 416 6d1956f3-6d1956fa 412->416 413->412 417 6d1955ec 413->417 418 6d195729-6d19572c 415->418 419 6d19562f-6d195649 415->419 416->310 420 6d1955f0-6d19560f 417->420 418->310 419->373 422 6d19564f-6d195656 419->422 424 6d195611 420->424 422->310 424->412
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: ErrorHeapLast$AllocInfoNativeProcessReadSystemmemcpymemsetrealloc
    • String ID: ?$@
    • API String ID: 2257136212-1463999369
    • Opcode ID: 0f00e1ade42de3f91fed754b1d8ba0d4be3f090df25b8d559b7a0487ad44b8c6
    • Instruction ID: d6aaeaae184612f56b6cefa9e81d8faf7c18c90086f1dc6d943782c872bb66fe
    • Opcode Fuzzy Hash: 0f00e1ade42de3f91fed754b1d8ba0d4be3f090df25b8d559b7a0487ad44b8c6
    • Instruction Fuzzy Hash: 724214B4609702DFE710DF29C58462ABBF1BF88315F45892DE9999B304E7B4E944CF82
    Function 6D1159F0 Relevance: 18.5, Strings: 14, Instructions: 1019COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1122 6d1159f0-6d115a05 1123 6d116c61-6d116c66 call 6d16ae50 1122->1123 1124 6d115a0b-6d115a31 call 6d170980 1122->1124 1123->1122 1129 6d115a33-6d115a38 1124->1129 1130 6d115a3a-6d115a3d 1124->1130 1131 6d115a40-6d115aa7 call 6d1709b0 call 6d16cff0 1129->1131 1130->1131 1136 6d115ab3-6d115b83 call 6d139e30 call 6d16ad60 * 2 call 6d139a20 1131->1136 1137 6d115aa9-6d115ab1 call 6d16c260 1131->1137 1148 6d115b85-6d115b89 1136->1148 1149 6d115b8b-6d115b93 call 6d159ba0 1136->1149 1137->1136 1150 6d115b97-6d115b99 1148->1150 1149->1150 1153 6d115b9b-6d115bca call 6d15a140 call 6d159cd0 1150->1153 1154 6d115bcf-6d115be5 1150->1154 1153->1154 1155 6d115bf1-6d115c00 1154->1155 1156 6d115be7-6d115bef call 6d16c260 1154->1156 1159 6d115c06-6d115f1c call 6d1709b0 call 6d16ad60 call 6d16cff0 call 6d16d050 call 6d1709d0 * 2 call 6d12fc30 call 6d15f810 * 2 call 6d1707f0 * 3 1155->1159 1160 6d116c4a-6d116c60 call 6d166a90 1155->1160 1156->1155 1190 6d115f24-6d115fc2 call 6d10a4e0 call 6d13ed60 call 6d10a700 call 6d121f00 call 6d1185c0 call 6d12ce30 call 6d1229f0 1159->1190 1191 6d115f1e 1159->1191 1160->1123 1206 6d115fd0-6d115fd2 1190->1206 1207 6d115fc4-6d115fc6 1190->1207 1191->1190 1210 6d115fd8-6d116095 call 6d16c476 call 6d16c94a call 6d16ad60 call 6d12d3f0 call 6d125470 call 6d16ad60 * 2 1206->1210 1211 6d116c1e-6d116c2f call 6d166a90 1206->1211 1208 6d116c34-6d116c45 call 6d166a90 1207->1208 1209 6d115fcc-6d115fce 1207->1209 1208->1160 1209->1206 1209->1210 1228 6d1160b4-6d1160bc 1210->1228 1229 6d116097-6d1160af call 6d122a70 1210->1229 1211->1208 1231 6d1160c2-6d116130 call 6d16c47a call 6d136bb0 call 6d15fa50 1228->1231 1232 6d116abf-6d116b05 call 6d10a4e0 1228->1232 1229->1228 1248 6d116140-6d11615e 1231->1248 1237 6d116b14-6d116b30 call 6d10a700 1232->1237 1238 6d116b07-6d116b12 call 6d16c260 1232->1238 1247 6d116b55-6d116b5e 1237->1247 1238->1237 1249 6d116b60-6d116b8b call 6d11ed90 1247->1249 1250 6d116b32-6d116b54 call 6d1043c0 1247->1250 1253 6d116160-6d116163 1248->1253 1254 6d116169-6d1161ec 1248->1254 1262 6d116b9b-6d116bf2 call 6d148b70 * 2 1249->1262 1263 6d116b8d-6d116b96 call 6d16ad60 1249->1263 1250->1247 1253->1254 1257 6d116216-6d11621c 1253->1257 1258 6d1161f2-6d1161fc 1254->1258 1259 6d116c14-6d116c19 call 6d16c2e0 1254->1259 1264 6d116222-6d1163bc call 6d167ed0 call 6d136bb0 call 6d137410 call 6d137100 call 6d137410 * 3 call 6d137230 call 6d137410 call 6d136c10 call 6d16c47a 1257->1264 1265 6d116c0a-6d116c0f call 6d16c2e0 1257->1265 1260 6d11620f-6d116211 1258->1260 1261 6d1161fe-6d11620a 1258->1261 1259->1211 1267 6d116132-6d11613e 1260->1267 1261->1267 1279 6d116c03-6d116c09 1262->1279 1280 6d116bf4-6d116bfa 1262->1280 1263->1262 1299 6d11645e-6d116461 1264->1299 1265->1259 1267->1248 1280->1279 1282 6d116bfc 1280->1282 1282->1279 1300 6d1164e7-6d116690 call 6d136bb0 call 6d137410 call 6d136c10 call 6d170830 * 4 call 6d16c476 1299->1300 1301 6d116467-6d116484 1299->1301 1336 6d116717-6d11671a 1300->1336 1302 6d1163c1-6d116457 call 6d1180a0 call 6d167ed0 call 6d136bb0 call 6d137410 call 6d136c10 1301->1302 1303 6d11648a-6d1164e2 call 6d136bb0 call 6d137410 call 6d136c10 1301->1303 1302->1299 1303->1302 1337 6d1167c0-6d116a5a call 6d1709b0 * 2 call 6d136bb0 call 6d137410 call 6d137100 call 6d137410 call 6d137100 call 6d137410 call 6d137100 call 6d137410 call 6d137100 call 6d137410 call 6d137100 call 6d137410 call 6d137100 call 6d137410 call 6d137230 call 6d137410 call 6d136c10 1336->1337 1338 6d116720-6d116744 1336->1338 1404 6d116a7c-6d116aad call 6d136bb0 call 6d136db0 call 6d136c10 1337->1404 1405 6d116a5c-6d116a77 call 6d136bb0 call 6d137410 call 6d136c10 1337->1405 1339 6d116746-6d116749 1338->1339 1340 6d11674b-6d116779 call 6d136bb0 call 6d137410 call 6d136c10 1338->1340 1339->1340 1342 6d11677e-6d116780 1339->1342 1345 6d116695-6d116716 call 6d1180a0 call 6d167ed0 call 6d136bb0 call 6d137410 call 6d136c10 1340->1345 1342->1345 1346 6d116786-6d1167bb call 6d136bb0 call 6d137410 call 6d136c10 1342->1346 1345->1336 1346->1345 1404->1232 1417 6d116aaf-6d116aba call 6d10a700 1404->1417 1405->1404 1417->1232
    Strings
    • failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 6D116C34
    • +:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08, xrefs: 6D1164A4, 6D11678B
    • gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= , xrefs: 6D115ABA
    • ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid, xrefs: 6D1168DC
    • @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12, xrefs: 6D1162C7
    • MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 6D116A06
    • non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo, xrefs: 6D116C1E
    • gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma, xrefs: 6D11629A
    • ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE, xrefs: 6D1164EC
    • 5, xrefs: 6D116C27
    • gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6D116C4A
    • MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=, xrefs: 6D11699C
    • , xrefs: 6D11606A
    • ., xrefs: 6D1161FE
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=$ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid$+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08$.$5$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= $non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo
    • API String ID: 0-2575422049
    • Opcode ID: 8dd9d237f60f4667437a7b82560b22eeaa190e8ec27d0bd9b18e430805360a71
    • Instruction ID: b7a200feac4283e07d364517377ac5e55fdcd80945499cfe1ae0a9c42ebcf73a
    • Opcode Fuzzy Hash: 8dd9d237f60f4667437a7b82560b22eeaa190e8ec27d0bd9b18e430805360a71
    • Instruction Fuzzy Hash: D3B2F87451D385CFC764EF28C494BAABBF1FB89308F02892ED98987355D7B09844CB92
    Function 6D1293F0 Relevance: 16.9, Strings: 13, Instructions: 643COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1419 6d1293f0-6d129402 1420 6d129f94-6d129f99 call 6d16ae50 1419->1420 1421 6d129408-6d129450 1419->1421 1420->1419 1423 6d129476-6d12947d 1421->1423 1425 6d129483-6d1294ed 1423->1425 1426 6d12957b-6d129581 1423->1426 1427 6d1294f3-6d1294f5 1425->1427 1428 6d129f8c-6d129f93 call 6d16c320 1425->1428 1429 6d129587-6d1295b3 call 6d12c5d0 1426->1429 1430 6d1297f9-6d129800 call 6d16c2f0 1426->1430 1432 6d129f85-6d129f87 call 6d16c340 1427->1432 1433 6d1294fb-6d129545 1427->1433 1428->1420 1444 6d129621-6d129631 1429->1444 1445 6d1295b5-6d129620 call 6d129360 1429->1445 1436 6d129805-6d12980c 1430->1436 1432->1428 1437 6d129552-6d129556 1433->1437 1438 6d129547-6d129550 1433->1438 1442 6d129810-6d129812 1436->1442 1443 6d129558-6d129576 1437->1443 1438->1443 1446 6d129818 1442->1446 1447 6d1299fd 1442->1447 1443->1442 1448 6d129637-6d129648 1444->1448 1449 6d1297f4 call 6d16c2e0 1444->1449 1452 6d129f7e-6d129f80 call 6d16c2e0 1446->1452 1453 6d12981e-6d12984c 1446->1453 1455 6d129a01-6d129a0a 1447->1455 1450 6d1297e1-6d1297e9 1448->1450 1451 6d12964e-6d129653 1448->1451 1449->1430 1450->1449 1457 6d1297c6-6d1297d6 1451->1457 1458 6d129659-6d129666 1451->1458 1452->1432 1460 6d129856-6d1298af 1453->1460 1461 6d12984e-6d129854 1453->1461 1463 6d129d72-6d129de0 call 6d129360 1455->1463 1464 6d129a10-6d129a16 1455->1464 1457->1450 1467 6d1297b8-6d1297c1 1458->1467 1468 6d12966c-6d1297b3 call 6d136bb0 call 6d137410 call 6d137230 call 6d137410 call 6d137230 call 6d137410 call 6d137100 call 6d137410 call 6d137100 call 6d137410 call 6d137100 call 6d137410 call 6d136c10 call 6d136bb0 call 6d137410 call 6d137100 call 6d136db0 call 6d136c10 call 6d166a90 1458->1468 1479 6d1298b1-6d1298bd 1460->1479 1480 6d1298bf-6d1298c8 1460->1480 1461->1436 1478 6d129ee5-6d129eeb 1463->1478 1465 6d129d53-6d129d71 1464->1465 1466 6d129a1c-6d129a26 1464->1466 1471 6d129a41-6d129a55 1466->1471 1472 6d129a28-6d129a3f 1466->1472 1468->1467 1476 6d129a5c 1471->1476 1472->1476 1481 6d129a71-6d129a91 1476->1481 1482 6d129a5e-6d129a6f 1476->1482 1484 6d129f68-6d129f79 call 6d166a90 1478->1484 1485 6d129eed-6d129f02 1478->1485 1486 6d1298ce-6d1298e0 1479->1486 1480->1486 1488 6d129a98 1481->1488 1482->1488 1484->1452 1490 6d129f04-6d129f09 1485->1490 1491 6d129f0b-6d129f1d 1485->1491 1492 6d1298e6-6d1298eb 1486->1492 1493 6d1299c8-6d1299ca 1486->1493 1494 6d129aa1-6d129aa4 1488->1494 1495 6d129a9a-6d129a9f 1488->1495 1497 6d129f1f 1490->1497 1491->1497 1500 6d1298f4-6d129908 1492->1500 1501 6d1298ed-6d1298f2 1492->1501 1498 6d1299e2 1493->1498 1499 6d1299cc-6d1299e0 1493->1499 1502 6d129aaa-6d129d4e call 6d136bb0 call 6d137410 call 6d137230 call 6d137410 call 6d137230 call 6d137410 call 6d137100 call 6d137410 call 6d137100 call 6d137410 call 6d137100 call 6d136db0 call 6d136c10 call 6d136bb0 call 6d137410 call 6d137230 call 6d137410 call 6d137100 call 6d137410 call 6d137230 call 6d136db0 call 6d136c10 call 6d136bb0 call 6d137410 call 6d1372a0 call 6d137410 call 6d137230 call 6d136db0 call 6d136c10 call 6d136bb0 call 6d137410 call 6d137100 call 6d137410 call 6d137100 call 6d136db0 call 6d136c10 1494->1502 1495->1502 1504 6d129f21-6d129f26 1497->1504 1505 6d129f28-6d129f40 1497->1505 1506 6d1299e6-6d1299fb 1498->1506 1499->1506 1507 6d12990f-6d129911 1500->1507 1501->1507 1502->1478 1512 6d129f42-6d129f4e 1504->1512 1505->1512 1506->1455 1508 6d129452-6d12946f 1507->1508 1509 6d129917-6d129919 1507->1509 1508->1423 1513 6d129922-6d12993d 1509->1513 1514 6d12991b-6d129920 1509->1514 1517 6d129f50-6d129f55 1512->1517 1518 6d129f5a-6d129f5d 1512->1518 1520 6d1299a7-6d1299c3 1513->1520 1521 6d12993f-6d129944 1513->1521 1519 6d12994b 1514->1519 1518->1484 1524 6d12995e-6d12996d 1519->1524 1525 6d12994d-6d12995c 1519->1525 1520->1436 1521->1519 1528 6d129970-6d1299a2 1524->1528 1525->1528 1528->1436
    Strings
    • runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D12967A, 6D129AB3
    • , levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:, xrefs: 6D129D15
    • , npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar, xrefs: 6D129BD7
    • ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc, xrefs: 6D1296CD
    • ] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt, xrefs: 6D129B1A
    • , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST, xrefs: 6D1296F7, 6D129721, 6D129B44, 6D129B6E
    • runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6D129CE8
    • , i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc, xrefs: 6D129C88
    • ][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C, xrefs: 6D1296A4, 6D129AED
    • , j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu, xrefs: 6D129C04
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D1297A2, 6D129F68
    • runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer, xrefs: 6D12976B
    • runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard , xrefs: 6D129C5B
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu$, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:$, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar$] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt$] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc$][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-566501290
    • Opcode ID: 464983c6198f328da5268bb47edcb6ccb43389dd4b03d3cc300faf0b3b234c03
    • Instruction ID: 87a0af454b7c1ca55fed1f6f3d0cf53112db2f51c778d284434d4588cacd2278
    • Opcode Fuzzy Hash: 464983c6198f328da5268bb47edcb6ccb43389dd4b03d3cc300faf0b3b234c03
    • Instruction Fuzzy Hash: 95524875A4C758CFD720DF68C09075EBBE1BF89304F02892DEA9887349D7B5A844CB92
    Function 6D131570 Relevance: 16.4, Strings: 13, Instructions: 150COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1779 6d131570-6d13157e 1780 6d131584-6d1315b6 call 6d1332a0 1779->1780 1781 6d13181e-6d131823 call 6d16ae50 1779->1781 1786 6d131807-6d13181d call 6d166a90 1780->1786 1787 6d1315bc-6d1315ea call 6d131470 1780->1787 1781->1779 1786->1781 1792 6d1315fc-6d131631 call 6d1332a0 1787->1792 1793 6d1315ec-6d1315f9 call 6d16c270 1787->1793 1798 6d1317f1-6d131802 call 6d166a90 1792->1798 1799 6d131637-6d131669 call 6d131470 1792->1799 1793->1792 1798->1786 1803 6d13167b-6d131683 1799->1803 1804 6d13166b-6d131678 call 6d16c270 1799->1804 1805 6d131689-6d1316bb call 6d131470 1803->1805 1806 6d13172d-6d13175f call 6d131470 1803->1806 1804->1803 1815 6d1316cd-6d1316d5 1805->1815 1816 6d1316bd-6d1316ca call 6d16c270 1805->1816 1813 6d131771-6d1317a9 call 6d131470 1806->1813 1814 6d131761-6d13176e call 6d16c270 1806->1814 1827 6d1317bb-6d1317c4 1813->1827 1828 6d1317ab-6d1317b8 call 6d16c270 1813->1828 1814->1813 1820 6d1317db-6d1317ec call 6d166a90 1815->1820 1821 6d1316db-6d13170d call 6d131470 1815->1821 1816->1815 1820->1798 1831 6d13171f-6d131727 1821->1831 1832 6d13170f-6d13171c call 6d16c270 1821->1832 1828->1827 1831->1806 1833 6d1317c5-6d1317d6 call 6d166a90 1831->1833 1832->1831 1833->1820
    Strings
    • , xrefs: 6D1316A2
    • NtAssociateWaitCompletionPacket, xrefs: 6D131690
    • RtlGetCurrentPeb, xrefs: 6D131734
    • , xrefs: 6D13169A
    • bcryptprimitives.dll, xrefs: 6D13158D
    • ntdll.dll, xrefs: 6D131608
    • bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible , xrefs: 6D131807
    • P, xrefs: 6D1317E4
    • NtCreateWaitCompletionPacket, xrefs: 6D13163E
    • NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no , xrefs: 6D1317C5
    • ProcessPrng, xrefs: 6D1315BF
    • NtCancelWaitCompletionPacket, xrefs: 6D1316E2
    • RtlGetVersion, xrefs: 6D13177E
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $NtAssociateWaitCompletionPacket$NtCancelWaitCompletionPacket$NtCreateWaitCompletionPacket$NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no $P$ProcessPrng$RtlGetCurrentPeb$RtlGetVersion$bcryptprimitives.dll$bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible $ntdll.dll
    • API String ID: 0-2332038095
    • Opcode ID: 021fda303c2a83d1c4a2b6ea73decea6922ffbddfcdce972d9aada141c648e8d
    • Instruction ID: 79c54ba3f6f0e0fa0581b797ea956ee9d785c5588c2a64cd5aedf172a7a91c4f
    • Opcode Fuzzy Hash: 021fda303c2a83d1c4a2b6ea73decea6922ffbddfcdce972d9aada141c648e8d
    • Instruction Fuzzy Hash: 9A71C5B4119742DFDB04DF64D08476ABBF0BF96748F02882DE99887344D7B49488CFA2
    Function 6D123400 Relevance: 14.6, Strings: 11, Instructions: 876COMMON
    Download Yara Rule
    Strings
    • mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 6D1241A9
    • sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto, xrefs: 6D123C4F
    • mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 6D123D16
    • , xrefs: 6D123E12
    • swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D123C65
    • sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket, xrefs: 6D123E09
    • mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea, xrefs: 6D12418A
    • previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 6D123DAB
    • mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D123CE2, 6D124156
    • sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket, xrefs: 6D123CB8, 6D12412C
    • nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo, xrefs: 6D123D81
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo$ previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$ sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-893999930
    • Opcode ID: f65badfae19268dcf55af1b7b3a91db97ed95b1c69667b77c88ceb371ca2f3be
    • Instruction ID: 989fc7a387ac1fe09400c6688d634c336d4bb24863b1f281b07308229ba4fcdd
    • Opcode Fuzzy Hash: f65badfae19268dcf55af1b7b3a91db97ed95b1c69667b77c88ceb371ca2f3be
    • Instruction Fuzzy Hash: 69825AB460C3958FC351DF24C090B6ABBF1BF89708F41886EE9D887355D7B19985CB92
    Function 6D132A90 Relevance: 14.0, Strings: 11, Instructions: 253COMMON
    Download Yara Rule
    Strings
    • CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet, xrefs: 6D132E7B, 6D132ED6
    • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi, xrefs: 6D132EFD
    • %, xrefs: 6D132F3A
    • runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 6D132D95
    • runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr, xrefs: 6D132DEC
    • runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b, xrefs: 6D132F31
    • VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec, xrefs: 6D132DC9
    • NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor, xrefs: 6D132E20
    • runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte, xrefs: 6D132E47, 6D132EA2
    • bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi, xrefs: 6D132D6E
    • ,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12, xrefs: 6D132D29
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: %$,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet$NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte$runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
    • API String ID: 0-2809656213
    • Opcode ID: 98df9520803e83b71ce6129610a9c55d9442c8d90e7266635c6989edf629cd45
    • Instruction ID: 612fe00115aace88f6946483b7a3293f661d6acf6d3312ae566d4d4d14ec620b
    • Opcode Fuzzy Hash: 98df9520803e83b71ce6129610a9c55d9442c8d90e7266635c6989edf629cd45
    • Instruction Fuzzy Hash: 56C1EFB460C3558FD700EF68D08475ABBF4AF89708F02896DE5988B349D7B59948CFA2
    Function 6D1013E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 8f36b72bf2b548912496ffb5d88e7322d67cf4b661ff3743bb1263fff8ea5b8a
    • Instruction ID: 4133d1a3ef75173fa463f9d07551d3b7c0b1817987a08978f620238082e06eb5
    • Opcode Fuzzy Hash: 8f36b72bf2b548912496ffb5d88e7322d67cf4b661ff3743bb1263fff8ea5b8a
    • Instruction Fuzzy Hash: 1A0152B18093049BC7007FB9990932EBFF8AB42659F05852DE888DB209DBB05454CB93
    Function 6D16332F Relevance: 12.0, Strings: 9, Instructions: 757COMMON
    Download Yara Rule
    Strings
    • p, xrefs: 6D163D5E
    • malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty, xrefs: 6D163D1B
    • !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 6D1636FF
    • mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential, xrefs: 6D163D47
    • 3-, xrefs: 6D163D58
    • 4, xrefs: 6D163D0E
    • malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo, xrefs: 6D163D31
    • mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 6D163D05
    • 2, xrefs: 6D163D50
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$2$4$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo$malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $3-$p
    • API String ID: 0-234616912
    • Opcode ID: 745e8e3c21d37297d76a96693345a101dee7e906d48208be6ca6fd1ae6053446
    • Instruction ID: ba35be2e392e5274ee8f5a8f4e0eef2390f36f4b4d94a8b149a60e2ff9a6beb6
    • Opcode Fuzzy Hash: 745e8e3c21d37297d76a96693345a101dee7e906d48208be6ca6fd1ae6053446
    • Instruction Fuzzy Hash: 3E62C1706083918FC704CF29C09062ABBF1FF89714F09896DE9948B396D7B5D956CFA2
    Function 6D17CEF0 Relevance: 10.8, Strings: 8, Instructions: 756COMMON
    Download Yara Rule
    Strings
    • y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KS, xrefs: 6D17D1C5
    • !, xrefs: 6D17D0EC
    • invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p, xrefs: 6D17CF75, 6D17D068, 6D17D138, 6D17D6F4, 6D17D816, 6D17D8A7, 6D17D938, 6D17D9CD
    • $, xrefs: 6D17D66D
    • v, xrefs: 6D17D025
    • n, xrefs: 6D17D1B1
    • pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps, xrefs: 6D17D785
    • invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa, xrefs: 6D17D663
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$$$invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa$invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p$n$pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps$v$y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KS
    • API String ID: 0-3686076665
    • Opcode ID: 144a5fc071720dade426473d546c9a9fc3470c4ee7b81b801c6830c4af8041b7
    • Instruction ID: 8b19937042f902f33ab48571dd179c4e9197c549aa849f0a1fc73904c34a0936
    • Opcode Fuzzy Hash: 144a5fc071720dade426473d546c9a9fc3470c4ee7b81b801c6830c4af8041b7
    • Instruction Fuzzy Hash: E67215B4A08349CFC724DF68C180B5AFBF1BB89704F55892DE9A887354DBB49944CF92
    Function 6D182560 Relevance: 10.5, Strings: 7, Instructions: 1779COMMON
    Download Yara Rule
    Strings
    • 0, xrefs: 6D1830B1
    • 0, xrefs: 6D183267
    • )]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+, xrefs: 6D183BE4, 6D183EAF, 6D183FF3, 6D1842D5
    • %!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWHolderMousebroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernameg, xrefs: 6D183BCA, 6D183E95
    • 0, xrefs: 6D183150
    • 0, xrefs: 6D183344
    • %!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutinecopystac, xrefs: 6D183FD9, 6D1842BB
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: %!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutinecopystac$%!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWHolderMousebroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernameg$)]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+$0$0$0$0
    • API String ID: 0-3530988254
    • Opcode ID: a3b9e9f7cbbf21d1cfc9f2ec14a9b3dddeb2263026dec55d3da2d91dce451974
    • Instruction ID: c736cc8ed87378a15d68943d81bc26bb6f045d78da75a15a3b7a1bc447957467
    • Opcode Fuzzy Hash: a3b9e9f7cbbf21d1cfc9f2ec14a9b3dddeb2263026dec55d3da2d91dce451974
    • Instruction Fuzzy Hash: E703D3B4A0D3818FC725CF18C09069EFBE1BBC9310F15892EE99997356D7B0A945CF92
    Function 6D155ED0 Relevance: 10.5, Strings: 8, Instructions: 512COMMON
    Download Yara Rule
    Strings
    • non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard , xrefs: 6D1566C5
    • fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit, xrefs: 6D156539
    • , xrefs: 6D156031
    • sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us, xrefs: 6D156566
    • :(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I, xrefs: 6D1563FD
    • pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace, xrefs: 6D156593
    • (1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID, xrefs: 6D156320
    • , xrefs: 6D156039
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $ fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit$ pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace$ sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us$(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID$:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I$non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard
    • API String ID: 0-3830612415
    • Opcode ID: 1aab6cae12e5efe934ba31a6e572f2d081c89d854698d0da8b9f76674d67c0ef
    • Instruction ID: 9c8f7881f076acd5cc160a2b5dfec5ca74284397e393bcae998fd11a408109b5
    • Opcode Fuzzy Hash: 1aab6cae12e5efe934ba31a6e572f2d081c89d854698d0da8b9f76674d67c0ef
    • Instruction Fuzzy Hash: 0732E4B460C3958FC364DF65C18079EBBE1AFC9304F02892EE9D887359DBB49854CB92
    Function 6D131A70 Relevance: 8.9, Strings: 7, Instructions: 116COMMON
    Download Yara Rule
    Strings
    • timeBeginPeriod, xrefs: 6D131B29
    • &, xrefs: 6D131C3D
    • timeEndPeriod, xrefs: 6D131B73
    • runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co, xrefs: 6D131C34
    • timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 6D131C0D
    • winmm.dll, xrefs: 6D131AF3
    • runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta, xrefs: 6D131BD9
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: &$runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta$runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co$timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$timeBeginPeriod$timeEndPeriod$winmm.dll
    • API String ID: 0-424793872
    • Opcode ID: d4a02366740e94a6f5ea4ba783e6a25b8ac5877f44f90423e93fc5aeed175390
    • Instruction ID: 9b1e4356327f0060e61382e8dd667a9f4adc8388884e4a99d326aea67b19707d
    • Opcode Fuzzy Hash: d4a02366740e94a6f5ea4ba783e6a25b8ac5877f44f90423e93fc5aeed175390
    • Instruction Fuzzy Hash: 1451C7B461D3519FDB04EF68D09472ABBF0BF59348F02881DE59887348D7B59488CFA2
    Function 6D195B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessagefprintf
    • String ID: Erro: %s
    • API String ID: 659079672-2412703935
    • Opcode ID: 8fc93a68829a55c18e0894ce3e8e7f9a83eb9ed5eede40fc6c1082f4381cdb7c
    • Instruction ID: f7c33bf88e0425981884c9adcc3b8c5d32955ce1325a4a0ac970b78e6a3cbc60
    • Opcode Fuzzy Hash: 8fc93a68829a55c18e0894ce3e8e7f9a83eb9ed5eede40fc6c1082f4381cdb7c
    • Instruction Fuzzy Hash: E50192B04083019FD700AF68C58931BBBF0BB88749F00C91DE9989A254D7B58249CF93
    Function 6D13CF90 Relevance: 8.6, Strings: 6, Instructions: 1093COMMON
    Download Yara Rule
    Strings
    • global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz, xrefs: 6D13E093
    • findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi, xrefs: 6D13E0EB
    • !, xrefs: 6D13E0DE
    • findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r, xrefs: 6D13E0D5
    • findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina, xrefs: 6D13E0BF
    • findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a, xrefs: 6D13E0A9
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz
    • API String ID: 0-3518981815
    • Opcode ID: 0212a7ad0204a5d63b6e0677605cd69bd197f53b9112ab3cd663fc5ea02e9506
    • Instruction ID: 106a5edf81c1106d769ec16e2b890eca7ba039ac5f35442b94b4bc94c0e3fbdb
    • Opcode Fuzzy Hash: 0212a7ad0204a5d63b6e0677605cd69bd197f53b9112ab3cd663fc5ea02e9506
    • Instruction Fuzzy Hash: 8EA2D3B460D3518FD724DF68C090B6ABBF1BF8A744F02882DE9D887354EBB59844CB52
    Function 6D1311F0 Relevance: 7.6, Strings: 6, Instructions: 133COMMON
    Download Yara Rule
    Strings
    • runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not , xrefs: 6D131417
    • 5, xrefs: 6D131420
    • runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar, xrefs: 6D131369
    • d, xrefs: 6D131276
    • runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe, xrefs: 6D1313C4
    • runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy, xrefs: 6D13139D, 6D1313F8, 6D13144B
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 5$d$runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar$runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not $runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe$runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy
    • API String ID: 0-2414937731
    • Opcode ID: 8ff3ff0930c903b0d66e05b67c83e2747ad551c157c0311cf2e4f93e0d11125f
    • Instruction ID: cab5bb0a9e640969c03683468624e62ff9d92fbdb3bf22093b2df9e71a3f3012
    • Opcode Fuzzy Hash: 8ff3ff0930c903b0d66e05b67c83e2747ad551c157c0311cf2e4f93e0d11125f
    • Instruction Fuzzy Hash: 1B51AFB461C355DFD740EF28D19475ABBF0AF88708F02882DE59887358D7B49988CBA3
    Function 6D196300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D19634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D19635F
    • GetCurrentProcess.KERNEL32 ref: 6D196368
    • TerminateProcess.KERNEL32 ref: 6D196379
    • abort.MSVCRT ref: 6D196382
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 5c2f1826055b43150079bdfc393fdb98e22dec8772bcc4a97d6b49586ff380dc
    • Instruction ID: b1d3099d49a9b8d9f0ffb6f2d3636dd45ac6492339b988b8ab1df79f8bb25b06
    • Opcode Fuzzy Hash: 5c2f1826055b43150079bdfc393fdb98e22dec8772bcc4a97d6b49586ff380dc
    • Instruction Fuzzy Hash: 3611F3B5804385CFCB00EF69C54972ABBF0FB5A708F00C929E948CB344E7749A44DB92
    Function 6D196250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6D196289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D1013B9), ref: 6D19629A
    • GetCurrentThreadId.KERNEL32 ref: 6D1962A2
    • GetTickCount.KERNEL32 ref: 6D1962AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D1013B9), ref: 6D1962B9
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 27fc542ac90204dee6509684b6ec0c38d36923469e82ff8e4255fbd8efd4020c
    • Instruction ID: 820dc48457a910d80508d4e742fb0c95f03b0303703acfd4eed3711ff94b8190
    • Opcode Fuzzy Hash: 27fc542ac90204dee6509684b6ec0c38d36923469e82ff8e4255fbd8efd4020c
    • Instruction Fuzzy Hash: A81188B1A053408BCB00DF78E88865BBBF5FB89668F058D3AE444CA300EB70D558CBD2
    Function 6D1962FC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D19634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D19635F
    • GetCurrentProcess.KERNEL32 ref: 6D196368
    • TerminateProcess.KERNEL32 ref: 6D196379
    • abort.MSVCRT ref: 6D196382
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: b6b5775c4c849de9f93bc2226947f6f2812c50a5b71f24b727b362cc28c96eb4
    • Instruction ID: 7335f251481e1483d3f6cf11a999bc37c5c4a91ce6f0c58db514f5cf8a4898d6
    • Opcode Fuzzy Hash: b6b5775c4c849de9f93bc2226947f6f2812c50a5b71f24b727b362cc28c96eb4
    • Instruction Fuzzy Hash: DE11EEB5805385DFCB00EFB9C64972A7BF0FB16708F00C529E948CB244E7B49A04DB92
    Function 6D121440 Relevance: 5.5, Strings: 4, Instructions: 494COMMON
    Download Yara Rule
    Strings
    • runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti, xrefs: 6D12198C, 6D1219DB
    • min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW, xrefs: 6D1219C0
    • !, xrefs: 6D121A18
    • min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce, xrefs: 6D121A0F
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce$min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW$runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti
    • API String ID: 0-967014423
    • Opcode ID: 517e29c43538bcb5caf9d091d66091e3c5018984eba458e932828fac170d157c
    • Instruction ID: b2e048340bffdba38ccefeb05b8296a6b2726caa237557d36ee05fe7d68c6319
    • Opcode Fuzzy Hash: 517e29c43538bcb5caf9d091d66091e3c5018984eba458e932828fac170d157c
    • Instruction Fuzzy Hash: D6F1D33660932A8FD705DE98C4D065EB7E2BBC4344F16893CD99487389EBB39885C7C2
    Function 6D13A320 Relevance: 5.4, Strings: 4, Instructions: 352COMMON
    Download Yara Rule
    Strings
    • stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many, xrefs: 6D13A7B0
    • stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl, xrefs: 6D13A690
    • stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a , xrefs: 6D13A843
    • stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met, xrefs: 6D13A7EB
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met$stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a $stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many$stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl
    • API String ID: 0-2039697367
    • Opcode ID: 615c4b1bfd19a69ea57c58c1d3dfff6de5572900dc918114da99fca4d82056dd
    • Instruction ID: 9a0d625589eff517728f2dfa1fc9c168560cfe556d2289d4189f1929d1aa946b
    • Opcode Fuzzy Hash: 615c4b1bfd19a69ea57c58c1d3dfff6de5572900dc918114da99fca4d82056dd
    • Instruction Fuzzy Hash: 9DF1F2B460C3818FC704DF68C194A6AFBF1BB89708F16896DE99887355D7B1E845CF82
    Function 6D131830 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$'$PowerRegisterSuspendResumeNotification$powrprof.dll
    • API String ID: 0-4026319467
    • Opcode ID: 66f687c0e36548fdcd4d7b35ef5495867f6dca004ef67d21312bbb98328393ec
    • Instruction ID: b4bcc241e660fa873beb5026f808ca163837cb4addb638270359dd57865e72cd
    • Opcode Fuzzy Hash: 66f687c0e36548fdcd4d7b35ef5495867f6dca004ef67d21312bbb98328393ec
    • Instruction Fuzzy Hash: 4621AEB45083429FD704CF25D094B6ABBF0BB89748F41892DE49887354E7B9DA89CF93
    Function 6D146470 Relevance: 4.2, Strings: 3, Instructions: 451COMMON
    Download Yara Rule
    Strings
    • runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern, xrefs: 6D146A04
    • <, xrefs: 6D146A0D
    • runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add, xrefs: 6D1469D7
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: <$runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add$runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern
    • API String ID: 0-450027851
    • Opcode ID: 92665c220cad84c654707aa4ef3728fcf4218b59ce096bfc99fc77bb4134fa2b
    • Instruction ID: bc9c86282d5320b0c71dc941553a48f18ebfcd695b798499690bf94abff7e0eb
    • Opcode Fuzzy Hash: 92665c220cad84c654707aa4ef3728fcf4218b59ce096bfc99fc77bb4134fa2b
    • Instruction Fuzzy Hash: FD026D70A0C74A8FC714CF69C19065ABBE2BFC8708F15C92DE99987358DBB1D845CB82
    Function 6D136010 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
    Download Yara Rule
    Strings
    • suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support, xrefs: 6D1364A3
    • ', xrefs: 6D1364AC
    • invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro, xrefs: 6D13648D
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support
    • API String ID: 0-3278438963
    • Opcode ID: c214cafba5b5cea6c25001954d9da72fdeeefb763b9fddd346b5b918e03c2071
    • Instruction ID: 7890174a5d0122ee7fe54ff19203ccd0bf083a77b699c775b6bb06fc8c69fae8
    • Opcode Fuzzy Hash: c214cafba5b5cea6c25001954d9da72fdeeefb763b9fddd346b5b918e03c2071
    • Instruction Fuzzy Hash: 33D132B460C3A58FC705CF29C09062ABBF2AF8A708F46885DF9C487355D7B5E944CB92
    Function 6D126630 Relevance: 3.0, Strings: 2, Instructions: 499COMMON
    Download Yara Rule
    Strings
    • grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 6D126D4E
    • +, xrefs: 6D126D57
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: +$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
    • API String ID: 0-3347251187
    • Opcode ID: ddca228c9f2ca74ca6e5e147846ce07d7ba15b33b600f07dc7aedce3bb51ad9f
    • Instruction ID: 5eacbfbbc153ffbdb84a6a1c11a16a25c0e1c9448c2a44df1e1db787f34632f5
    • Opcode Fuzzy Hash: ddca228c9f2ca74ca6e5e147846ce07d7ba15b33b600f07dc7aedce3bb51ad9f
    • Instruction Fuzzy Hash: ED22E37460C3858FC754DF29C190A6ABBF1BF89744F11892DE5D887358DBB6D884CB82
    Function 6D12B2D0 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
    Download Yara Rule
    Strings
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D12B60F
    • @, xrefs: 6D12B4FB
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
    • API String ID: 0-1191861649
    • Opcode ID: 32725b03be7fe5b08ab83c73c370533402114c4ffd56af9b7cac854e30958c36
    • Instruction ID: 454fb0d6891f509ad7229e00457b2c2f7f899070b20ce6c9050177b4dedfc3db
    • Opcode Fuzzy Hash: 32725b03be7fe5b08ab83c73c370533402114c4ffd56af9b7cac854e30958c36
    • Instruction Fuzzy Hash: BAA1D27560870A8FC704CF18C88025AB7E1FFC8314F458A2DE9959B355DB75E95ACBC2
    Function 6D16A872 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $@
    • API String ID: 0-1077428164
    • Opcode ID: f9bf7ea8d1f8c6ff8d3a9ea3e0f355891edae2f67fc52fea3584d6fb82ea48f8
    • Instruction ID: baafb04ef62c84d5c2d3f7a01ea638ff5620051ac322a2b6db98915267f0bdf2
    • Opcode Fuzzy Hash: f9bf7ea8d1f8c6ff8d3a9ea3e0f355891edae2f67fc52fea3584d6fb82ea48f8
    • Instruction Fuzzy Hash: 19519F20C0CF9B66E6330ABDC4426667B206EB3144B01D76FFDD7B54B2E7526940BA22
    Function 6D11CEC0 Relevance: 2.6, Strings: 2, Instructions: 88COMMON
    Download Yara Rule
    Strings
    • gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu, xrefs: 6D11CFA1
    • ,, xrefs: 6D11CFAA
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu
    • API String ID: 0-27675022
    • Opcode ID: a36fc803803bd2c4949f5c1e960706d50500060a5b22a4ac13b10c8eabb48a33
    • Instruction ID: 0e77270d8ba5b1d43ccaa59defc7f7a03c896d75905edda04614b0a744b10bae
    • Opcode Fuzzy Hash: a36fc803803bd2c4949f5c1e960706d50500060a5b22a4ac13b10c8eabb48a33
    • Instruction Fuzzy Hash: 89318175A093968FD305DF14C480A69B7F1BB86608F0981BDDC484F387DB71984ACBC1
    Function 6D1859D0 Relevance: 1.9, Strings: 1, Instructions: 607COMMON
    Download Yara Rule
    Strings
    • ,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePoint, xrefs: 6D185B6E
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePoint
    • API String ID: 0-1364986362
    • Opcode ID: 4726ff15c1554512a863f682fe4faa4bdf253859f88df3592de4bf2da443f531
    • Instruction ID: 2cd9ec4c5d167715903283765aeb35f1e1c3b868f0abbe94f9c8235aefef887e
    • Opcode Fuzzy Hash: 4726ff15c1554512a863f682fe4faa4bdf253859f88df3592de4bf2da443f531
    • Instruction Fuzzy Hash: C85226B1A083898FD334CF18C59039FFBE1ABD5304F45892DDAD89B385E7B599448B92
    Function 6D158570 Relevance: 1.8, Strings: 1, Instructions: 543COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 4
    • API String ID: 0-4088798008
    • Opcode ID: d59502a1d2f7a38e277e4be573f52cc31ab0804c2e43d462860c05a3629cfe05
    • Instruction ID: 99ddded393b60dd92fa39f14c7eadbf375b149f60e1abcd45305b9302ebe7204
    • Opcode Fuzzy Hash: d59502a1d2f7a38e277e4be573f52cc31ab0804c2e43d462860c05a3629cfe05
    • Instruction Fuzzy Hash: 5D22E3B521D3868FC730DF18C4C465EB7E1AFC5304F058A2CD9A98B359DBB4A815CB92
    Function 6D110AF0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
    Download Yara Rule
    Strings
    • span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor, xrefs: 6D110D52
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor
    • API String ID: 0-1712010102
    • Opcode ID: 79036e25ce1a7f1751fbc46de20bebede6d39834ed0e84f1f0b647717c7e68bf
    • Instruction ID: 666874ba1582921e1b94cb7e8b64487996467c368cc9687fdbc1f81bd42393f0
    • Opcode Fuzzy Hash: 79036e25ce1a7f1751fbc46de20bebede6d39834ed0e84f1f0b647717c7e68bf
    • Instruction Fuzzy Hash: 6FD143B4A1C3458FC704DF29C490A2EBBE0BF89708F01896DE8D987344E7B5E955CB52
    Function 6D12D040 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
    Download Yara Rule
    Strings
    • runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin, xrefs: 6D12D3CB
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin
    • API String ID: 0-429552053
    • Opcode ID: eb724399eed6748cfb64258524373c2ba68a29f873b3d30784ef3b757c1e5105
    • Instruction ID: 05a32797537a0bc3f471a23e13ce41b36d399dbc8e86763cfbc6aa308f3c3c3a
    • Opcode Fuzzy Hash: eb724399eed6748cfb64258524373c2ba68a29f873b3d30784ef3b757c1e5105
    • Instruction Fuzzy Hash: 36B1D4B86083459FC744DF68C08492AB7F1BFC9744F42982DE99487364E7B2E985CF92
    Function 6D1895A0 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ;
    • API String ID: 0-1661535913
    • Opcode ID: 4b71eafdfa421b1ba30d91cd5e97ba925a1beb0dcf34be626c2c8b436ff08a0a
    • Instruction ID: b275281331a380a968a270a03cd36f5ecde7b0fe4d4af2ed4d122e4951360663
    • Opcode Fuzzy Hash: 4b71eafdfa421b1ba30d91cd5e97ba925a1beb0dcf34be626c2c8b436ff08a0a
    • Instruction Fuzzy Hash: A7A1A371B083054FC70CDE6DD99131AFAE2ABC9304F05CA3DE599CB7A9E674D9058B82
    Function 6D12A360 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: 4b019c5d3dedf932a6ef67ef5f1412522afbfe754fb0f64ea35c47d90a94746f
    • Instruction ID: c982e4fba2de073c0bca8d9a5b5da6fa5ebb53e197eebb6f9a9f0cb62430ddc4
    • Opcode Fuzzy Hash: 4b019c5d3dedf932a6ef67ef5f1412522afbfe754fb0f64ea35c47d90a94746f
    • Instruction Fuzzy Hash: 539112B5A093459FC344CF28C080A5ABBE1FF88744F81992EE99897345E776D985CF82
    Function 6D17E740 Relevance: .9, Instructions: 941COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1b1696b89f48b6caacea9443a3d9a7e08e353edbb065a4568c523d739f3bb62f
    • Instruction ID: 6fa99802ce79d8527298715461cb44046da9218a315f7d9bbdbb936b6f555afb
    • Opcode Fuzzy Hash: 1b1696b89f48b6caacea9443a3d9a7e08e353edbb065a4568c523d739f3bb62f
    • Instruction Fuzzy Hash: B1825975A083558BC338CE1DC4906DAF7E2BBDD300F55892ED599C3364E7B0AA45CB81
    Function 6D186C20 Relevance: .6, Instructions: 601COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ed99ed0f3c94bb19bb635d861f3e9508f6ad87ba3df9253df9b8175cbbac86a4
    • Instruction ID: 9f39f961a37fdbba99379bf9116836b85fa8f35c548f1ad5daab37e79d3ae559
    • Opcode Fuzzy Hash: ed99ed0f3c94bb19bb635d861f3e9508f6ad87ba3df9253df9b8175cbbac86a4
    • Instruction Fuzzy Hash: 0C226071B1C74A8BD714CF65C49036BF7E2BBD5304F55882DE9858B24AEBF19809CB82
    Function 6D184D20 Relevance: .5, Instructions: 530COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9a2ff798b3016c27d72c61a010156392fc589bc56a703b0bec4c8defdd3ca6bb
    • Instruction ID: 27998af81e9546f4a90198c75293073113df542b2720dca26542bc76dcc92e30
    • Opcode Fuzzy Hash: 9a2ff798b3016c27d72c61a010156392fc589bc56a703b0bec4c8defdd3ca6bb
    • Instruction Fuzzy Hash: E8128872A087498FD314DE5DC98024AF7E7FBC4304F55CA3DD9598B359EBB0A9058B82
    Function 6D12C080 Relevance: .5, Instructions: 477COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4038952a62e505defb08e19bb4c84151feaa963edc79bfd54bf85a76b2f79c96
    • Instruction ID: bf0eddc56f5b90aa9114ca1ec06d0bcd3ba8fac4fb41661fea449370b9865522
    • Opcode Fuzzy Hash: 4038952a62e505defb08e19bb4c84151feaa963edc79bfd54bf85a76b2f79c96
    • Instruction Fuzzy Hash: 61E12A33B5971A4BD315DDAC88C025EB2E3ABC8344F09863CDE6497384FAB6DD4986C1
    Function 6D15BC20 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: df0eed42d6971ebbf9fe14a2f5bd7777be30fc38ec8a23d1cae096e57f05f6d5
    • Instruction ID: b7c31905a90b9047ee89bc2e158bf150af098bb378e8154a89568279caab3f83
    • Opcode Fuzzy Hash: df0eed42d6971ebbf9fe14a2f5bd7777be30fc38ec8a23d1cae096e57f05f6d5
    • Instruction Fuzzy Hash: 7F0280756083468FC724CF68C4C062EF7E2BF89304F15892DE9A98B355D7B4E855CB92
    Function 6D12BB10 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d959572ec5e9ea34846bfe3fda09e68b9d98a2f2621bd6d421978b1902c7ff77
    • Instruction ID: c8770ba2e7617b2caf8dea8634b3625d10d41b06863928233a6f5032c5e40bac
    • Opcode Fuzzy Hash: d959572ec5e9ea34846bfe3fda09e68b9d98a2f2621bd6d421978b1902c7ff77
    • Instruction Fuzzy Hash: 7FE1E433E247250BD3149E58CC80249B2D3ABC8670F4EC72DED95AB785E9B4ED5987C2
    Function 6D186740 Relevance: .4, Instructions: 408COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e91144301f4cfc0edb926498ae00f05cc3e80c7c0be5478e15b064075fe8c8a8
    • Instruction ID: fb797b820d01a7858f36a359836014eec1be7b4fd14cebc34a0293549eeb5788
    • Opcode Fuzzy Hash: e91144301f4cfc0edb926498ae00f05cc3e80c7c0be5478e15b064075fe8c8a8
    • Instruction Fuzzy Hash: 62E1A172A2C3698BC705CF29849031FBBE2BBC5704F45892DE9958B34AD7B59805CFC2
    Function 6D1180A0 Relevance: .4, Instructions: 378COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fbf9cbf1af3b9e04fcc17fdbe9a15f788739d9e97b8486df1c701b658e123c36
    • Instruction ID: 8b3054439da11458a5fb2ba8b706823e281dceae8f545c848ba20aa6a7ad64a3
    • Opcode Fuzzy Hash: fbf9cbf1af3b9e04fcc17fdbe9a15f788739d9e97b8486df1c701b658e123c36
    • Instruction Fuzzy Hash: 7CC1C332B0C3264FC705DE6DC89061EBBE2ABC8344F49863DE9559B395E7B4E9058781
    Function 6D15D6E0 Relevance: .4, Instructions: 368COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: faf9b86af97dbd7eab59006f60b31ee6d6469c28d45b53014ff92bb4b5cf0eb7
    • Instruction ID: 31ce2c57a8f70b09e942bc747a0583d1bf5b5905ef277dee7738fe7dfdc1b4d1
    • Opcode Fuzzy Hash: faf9b86af97dbd7eab59006f60b31ee6d6469c28d45b53014ff92bb4b5cf0eb7
    • Instruction Fuzzy Hash: 52E1E37160D3968FC715CF28C0C092EFBE1AFCA204F05896DE9A58B396D774E855CB92
    Function 6D13E240 Relevance: .3, Instructions: 331COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ebaa8f31ec8e321be1d35522c9249c6f291d98cb11f89de7b26d3c276caa8f6c
    • Instruction ID: 0307aca2857426b3d6040df96d5059d903d501acc13bd9c9ccfac5947ace4781
    • Opcode Fuzzy Hash: ebaa8f31ec8e321be1d35522c9249c6f291d98cb11f89de7b26d3c276caa8f6c
    • Instruction Fuzzy Hash: 56F1E07460C3918FC364CF29C090B5BBBE2BBC9304F55892EE9D887355EB71A945CB52
    Function 6D192E70 Relevance: .3, Instructions: 286COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1d266fb6a75f1b2ec02e2f1010255d0d0d182282b0663006b1356878daa85b21
    • Instruction ID: 5f52ffb637e50bd69c84c27a14c6cbb2ada723fdb3e347f812ddebff3038b2a2
    • Opcode Fuzzy Hash: 1d266fb6a75f1b2ec02e2f1010255d0d0d182282b0663006b1356878daa85b21
    • Instruction Fuzzy Hash: 8AC1627060432A4FC251CE5EDCC0A6A73D1AB4821DF91866D96448F7C3DA3AF46B97E4
    Function 6D193230 Relevance: .3, Instructions: 286COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 577a819598126ad98c21afa9ae5228c48c7e2b3084aba2c5ebd288e1eeb97413
    • Instruction ID: 213579917365b9b63906cb3d4ae4112a6d78f247487cf4510abc28c81b24acc0
    • Opcode Fuzzy Hash: 577a819598126ad98c21afa9ae5228c48c7e2b3084aba2c5ebd288e1eeb97413
    • Instruction Fuzzy Hash: DAC1527060432A4FC251CE5EDCC0A6A73D1AB4821DF91866D96448F7C3DA3AF46B97E4
    Function 6D12C6D0 Relevance: .3, Instructions: 285COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4fc0cc9e8bd6d56d9ae1e796fafcd063d171eb857076866962a3bc7a7250293e
    • Instruction ID: 7e84f08df04ef2ef783cad4949b31c7891e8e19a8c8024073591b9f9f0d6e1a5
    • Opcode Fuzzy Hash: 4fc0cc9e8bd6d56d9ae1e796fafcd063d171eb857076866962a3bc7a7250293e
    • Instruction Fuzzy Hash: 1B91333260971A4FC719CE9CC4D051EB7E3FBC8344F55863CDA690B388EBB299498682
    Function 6D12CA30 Relevance: .3, Instructions: 281COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 99697b74980941891788e8c9ae0d34dfa8f7fe05c0b2a5f3ac786623aff8545e
    • Instruction ID: 177cbfd7dc7c4e08b1d7a09322d544110e4859760b19d479aa9d0b3f054ecc2b
    • Opcode Fuzzy Hash: 99697b74980941891788e8c9ae0d34dfa8f7fe05c0b2a5f3ac786623aff8545e
    • Instruction Fuzzy Hash: 3481473768872A4FD716CDA898D025E3693ABC4314F1A463CDA748B3C9FBF2D95582C1
    Function 6D12AD50 Relevance: .3, Instructions: 276COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f6e36538a9ac50f0ebc8a63e530573f3ae9b117516b57da5c5b11c911ed686ec
    • Instruction ID: 065aa60d4468bcf50359ca5c0f04fe1849d5e4ebd82f19649e0707efa97dd4d3
    • Opcode Fuzzy Hash: f6e36538a9ac50f0ebc8a63e530573f3ae9b117516b57da5c5b11c911ed686ec
    • Instruction Fuzzy Hash: 8191D776A187194BD304DE59CCC0659B3D2BBC8324F49C63CECA89B345E675EE49CB81
    Function 6D1032A0 Relevance: .2, Instructions: 219COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 78e10241f8c606b63395dd7d40e02e74da1f210dcbb84e44d67ada7bddba9d15
    • Instruction ID: e93542fb42fb9e8f079eaa761ba5f809f9e99831bfcf5f68ba7a1c84b085a730
    • Opcode Fuzzy Hash: 78e10241f8c606b63395dd7d40e02e74da1f210dcbb84e44d67ada7bddba9d15
    • Instruction Fuzzy Hash: 0B8109B2A183508FC314DF29D88095AF7E2BFC8748F46892DF988D7315E771E9158B82
    Function 6D129030 Relevance: .2, Instructions: 193COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 09278898799cedf9db6cca3a6316d12db126f762727743020b89b44ad05428e1
    • Instruction ID: 1994bdc2fe59a0d03db91ee71b8a7fa122a70efe21b9b5bd30c7dac058d7ab7d
    • Opcode Fuzzy Hash: 09278898799cedf9db6cca3a6316d12db126f762727743020b89b44ad05428e1
    • Instruction Fuzzy Hash: 6291CAB4A093459FC308CF28C090A1ABBF1FF89708F418A6EE99997354D771E985CF46
    Function 6D102CA6 Relevance: .2, Instructions: 161COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aaac1fa95927537056fa748d1ed80cb4c36531cfe69fe86e380ee050db7f54d2
    • Instruction ID: 1963f83c12fc1ce5004ee395f96e9d1b29d3c6457ae64efc9dbb546263751a4d
    • Opcode Fuzzy Hash: aaac1fa95927537056fa748d1ed80cb4c36531cfe69fe86e380ee050db7f54d2
    • Instruction Fuzzy Hash: 3D51643090C3A44AE3159F6F48D412AFFE16FC6301F884A6EF5E443392D5B89515DBAA
    Function 6D102CA0 Relevance: .2, Instructions: 160COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d1f84b5a69254ab7401c17e552e637f826ac157e68fa161efc32243c483970f1
    • Instruction ID: ccf5c57abe590652cb5dbc94feb48f407c3c7550a703a4856c1898b8fc8efe1e
    • Opcode Fuzzy Hash: d1f84b5a69254ab7401c17e552e637f826ac157e68fa161efc32243c483970f1
    • Instruction Fuzzy Hash: A151763090C3A44AE3158F6F48D412AFFF16FC6301F884A6EF5E443392D5B89515DBAA
    Function 6D12D9C5 Relevance: .1, Instructions: 134COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3fa6c360b0b9ec38cecd1db65a6027e7012364a36055de3bd4b61dbe9de910ce
    • Instruction ID: c039f28204f497b037d4bc2827b491f21395728b9928e53700a17b47e455201b
    • Opcode Fuzzy Hash: 3fa6c360b0b9ec38cecd1db65a6027e7012364a36055de3bd4b61dbe9de910ce
    • Instruction Fuzzy Hash: 9C5159B56093228FC318DF69C4D0A1AB7E0BF88604F0585BCED599B395D771E846CBC2
    Function 6D10BE90 Relevance: .1, Instructions: 116COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bc4c5c814b093aefc146be1cfa4f7af7535101c2933396fcce15e781e4853d67
    • Instruction ID: a3e9aff559441913d4a3c8261dc8712f4e0ef6472afe85544f63ad788374b54b
    • Opcode Fuzzy Hash: bc4c5c814b093aefc146be1cfa4f7af7535101c2933396fcce15e781e4853d67
    • Instruction Fuzzy Hash: F641C475908B458FC306DE79C49031AB3E2BFC6384F54C72DEA5A6B356EB719842CB42
    Function 6D10FBC0 Relevance: .1, Instructions: 97COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ddd9c586252e3ae5109e86b0f4bfb06f2cdd9b8961b889bd9615bbd2fe3cccf8
    • Instruction ID: 8284ac6e9eda37a9a11f07f1c87d327fa5e025b13c9dcbba5daa668d9239ee17
    • Opcode Fuzzy Hash: ddd9c586252e3ae5109e86b0f4bfb06f2cdd9b8961b889bd9615bbd2fe3cccf8
    • Instruction Fuzzy Hash: B531437381971D8BD300AF498C40159F7E2ABD0B20F5E8A5ED9A417701DBB0AA15CBC7
    Function 6D1090F0 Relevance: .1, Instructions: 76COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 338d35fc77015eca68efdfbde46dcf3f06fe8355a2c659672ec79f15beab20b7
    • Instruction ID: 980e999bad4b900f02c25785ec27fb63bc76cacf8f8eb3526ac1c144beaa96e0
    • Opcode Fuzzy Hash: 338d35fc77015eca68efdfbde46dcf3f06fe8355a2c659672ec79f15beab20b7
    • Instruction Fuzzy Hash: B321F5317042518BD708CF39C8F4526F7F3ABCA710B49C56CD45587668DAB4A809C746
    Function 6D131C90 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e952aef42f512b90b88496fd0c0769d00a4ea12e0a591e51c4f42f72dd7587c8
    • Instruction ID: 5f8aad30ecc357d9b5212f62363cba25c5797ac6e122f179255512cefdce4809
    • Opcode Fuzzy Hash: e952aef42f512b90b88496fd0c0769d00a4ea12e0a591e51c4f42f72dd7587c8
    • Instruction Fuzzy Hash: B01194706083518FD705CF24D0A476AB7F1FF86308F42889CD5854B395D7BA9899CB52
    Function 6D167280 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: eadfae2f48d406f1aacee9a949909f05bc4cf46f14eaad61926b097b9a44ff97
    • Instruction ID: 814e82185b7bde0251906bdfc40c7ee3a5dcf03b1ac92d4d58533a5c220566fe
    • Opcode Fuzzy Hash: eadfae2f48d406f1aacee9a949909f05bc4cf46f14eaad61926b097b9a44ff97
    • Instruction Fuzzy Hash: 8C11DBB4600B118FD398DF59C0D4A66B3E1FB8C200B4A81FDDA0A8B766C670A855DB85
    Function 6D16C0C0 Relevance: .0, Instructions: 10COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5873ea4f7d9139b61cc344df133007ce985d5f65176e409e29abccf05254c6a7
    • Instruction ID: 2718ba170fdfe06a2ffc5237eaa2a03527501961d86fd158c25aa5452475bf39
    • Opcode Fuzzy Hash: 5873ea4f7d9139b61cc344df133007ce985d5f65176e409e29abccf05254c6a7
    • Instruction Fuzzy Hash: 77C08CB881A3D29EFB00CB5C810031ABEF19B81300F80C089A14843208C3B482808624
    Function 6D195E79 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • unexpected cgo_bindm on Windows, xrefs: 6D195EA4
    • ;, xrefs: 6D195F18
    • runtime: failed to signal runtime initialization complete., xrefs: 6D195F2C
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabortfwrite$Event
    • String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
    • API String ID: 3057923235-924395932
    • Opcode ID: 65a8121d0fdaddb4a012463fd884eb0273cb80ff34a6bab0daf5fc121d22163a
    • Instruction ID: d73e3b2465ec2ba5302548a652c83376516a38d2b5d4d6662f7f8064461a1a09
    • Opcode Fuzzy Hash: 65a8121d0fdaddb4a012463fd884eb0273cb80ff34a6bab0daf5fc121d22163a
    • Instruction Fuzzy Hash: 3D11B7B18083848FDB00BFB8D50D32EBEB0BB42708F46895DE9859B205D7B55168DB93
    Function 6D1964A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • VirtualProtect failed with code 0x%x, xrefs: 6D19659A
    • Address %p has no image-section, xrefs: 6D1965DB
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6D1965C7
    • @, xrefs: 6D196578
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 1baf71e67e4dda2ea46c4b7700b305d658237d1f290c40cac91f55c3abfc8411
    • Instruction ID: 8f58cb9269d32b509a63a5b92f5173f10a7f8d95d7ba0e8cddbcfa8b0aaf3afa
    • Opcode Fuzzy Hash: 1baf71e67e4dda2ea46c4b7700b305d658237d1f290c40cac91f55c3abfc8411
    • Instruction Fuzzy Hash: B64181B59043058FDB00EF68D48866AFBF4FF55768F41CA29D9588B218E370E444CBE2
    Function 6D194AF0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: 66cf6e5cf8ad21b5d2a3ef01f8258424ad49bcee056cb6958e9273588a038a78
    • Instruction ID: bab494d8c94cc7d9227315598ae6cce0fcc39e0d941216b79f80fc0bc7202fc4
    • Opcode Fuzzy Hash: 66cf6e5cf8ad21b5d2a3ef01f8258424ad49bcee056cb6958e9273588a038a78
    • Instruction Fuzzy Hash: 4C51B376A083158FD700DF29D48026AB7E5FFC8304F05893EE9A8DB204E7B5D946CB96
    Function 6D196060 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 6D19606F
    • fwrite.MSVCRT ref: 6D1960BD
    • abort.MSVCRT ref: 6D1960C2
    • free.MSVCRT ref: 6D1960E5
      • Part of subcall function 6D195FB0: _beginthread.MSVCRT ref: 6D195FD6
      • Part of subcall function 6D195FB0: _errno.MSVCRT ref: 6D195FE1
      • Part of subcall function 6D195FB0: _errno.MSVCRT ref: 6D195FE8
      • Part of subcall function 6D195FB0: fprintf.MSVCRT ref: 6D196008
      • Part of subcall function 6D195FB0: abort.MSVCRT ref: 6D19600D
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
    • String ID: +$runtime/cgo: out of memory in thread_start
    • API String ID: 2633710936-1802439445
    • Opcode ID: 8f4c56ac3807d139e2b94905985fdccf867c3264d09bb113f85849e2a2fa7044
    • Instruction ID: b989b21fc75d71e02ad8951c8aea68c177cb639bebf660fc20022ff3625b576f
    • Opcode Fuzzy Hash: 8f4c56ac3807d139e2b94905985fdccf867c3264d09bb113f85849e2a2fa7044
    • Instruction Fuzzy Hash: 9C21F7B4908740CFC700EF69D58851AFBF4FF8A704F46899DE9888B329D3B59840CB92
    Function 6D195CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6D195CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D195D89), ref: 6D195CEB
    • fwrite.MSVCRT ref: 6D195D20
    • abort.MSVCRT ref: 6D195D25
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6D195D19
    • =, xrefs: 6D195D05
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: 09a5575a3032e1da856a53ea156ef7119571ae7aadcd7ab0b04c4300ea30479d
    • Instruction ID: afa93dee922a46b25bbd268162e5092b7ac4c5f2372063df930560078d969481
    • Opcode Fuzzy Hash: 09a5575a3032e1da856a53ea156ef7119571ae7aadcd7ab0b04c4300ea30479d
    • Instruction Fuzzy Hash: 71F0C9B04083419FEB00BF68C51D32FBEF0BB41709F85C85DD8989A284D7B98154DB93
    Function 6D101020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6D1012E0,?,?,?,?,?,?,6D1013A3), ref: 6D101057
    • _amsg_exit.MSVCRT ref: 6D101085
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: 993b832fbf6222cb7ce13222a9b5965ffdaca40ab217421f85bfd11edd9dbfd9
    • Instruction ID: 2c78fd2252bc23b301050750987e393d7fe96e1385d03ebee6fc7cfb3c96dae7
    • Opcode Fuzzy Hash: 993b832fbf6222cb7ce13222a9b5965ffdaca40ab217421f85bfd11edd9dbfd9
    • Instruction Fuzzy Hash: 684174B16183858BEB01BF69D584727BBF4FB5674CF41C52AE584CB208DBB984C0DB92
    Function 6D19655C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32 ref: 6D19652D
    • VirtualProtect.KERNEL32 ref: 6D196587
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D2453A8), ref: 6D196594
      • Part of subcall function 6D197220: fwrite.MSVCRT ref: 6D19724F
      • Part of subcall function 6D197220: vfprintf.MSVCRT ref: 6D19726F
      • Part of subcall function 6D197220: abort.MSVCRT ref: 6D197274
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$@
    • API String ID: 1616349570-2953866262
    • Opcode ID: f07872dc5681ded33d0a2104cbfa0a7e0a91b95b6728a781a05dd5f7880be5cc
    • Instruction ID: f2383a545ec3a5a160efa2df453fe4434c153840304f3db810d45f1d00afd075
    • Opcode Fuzzy Hash: f07872dc5681ded33d0a2104cbfa0a7e0a91b95b6728a781a05dd5f7880be5cc
    • Instruction Fuzzy Hash: 94214CB19083058FDB00EF28D88872AFBF0FF54758F41CA29D9988B258E370D504CBA2
    Function 6D194D00 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6D194D5F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6D195BEF), ref: 6D194D9A
    • malloc.MSVCRT ref: 6D194DC8
    • qsort.MSVCRT ref: 6D194E16
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: e8c4114b27a145880a4ad596f339a2b1a2b9f14e5a35432aba42e477aeac9aa6
    • Instruction ID: b63a057f7d94bef9b23c7632a7acabf0732a4570bf67eb6857f3083cb35e2cf0
    • Opcode Fuzzy Hash: e8c4114b27a145880a4ad596f339a2b1a2b9f14e5a35432aba42e477aeac9aa6
    • Instruction Fuzzy Hash: B8416A796083018FD710DF29D480A2AB7F2FF98314F05892DE899CB318E7B4E844CB96
    Function 6D195850 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: 67927cf8656dc70291671a135ace8e4933daab95e554e9039e5b6db4c626404d
    • Instruction ID: a956d4f2dcae4ce9e848e7bd9d7306fa8d4fa13794b0d105da03e2125a333c73
    • Opcode Fuzzy Hash: 67927cf8656dc70291671a135ace8e4933daab95e554e9039e5b6db4c626404d
    • Instruction Fuzzy Hash: 0421A730618205CBE700AF39C84867777F5BF59319F45C928E9A9CF284EBB5E809CB52
    Function 6D1970C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: 382f4a8b01b45c222115bf07cea7bfe95beec8b62b3ca97267e9e99ee453d702
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: 9B1121B0A182018FD7419F68D98076ABBE4FF45354F158A6AE598CF389DBB4D440CB52
    Function 6D195DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6D195E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D1945D9), ref: 6D195E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D1945D9), ref: 6D195E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D1945D9), ref: 6D195E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D1945D9), ref: 6D195E50
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 3a19a9fff5e1752ed6d2fa8e339325a0f1e1bc61da8a66fae8996b3325a1f6e5
    • Instruction ID: 0035b8e0dc923fae8b9e1f3e0ad3f1e98c6fcc3d3dd0a2fb3417e2edceb3fb25
    • Opcode Fuzzy Hash: 3a19a9fff5e1752ed6d2fa8e339325a0f1e1bc61da8a66fae8996b3325a1f6e5
    • Instruction Fuzzy Hash: A40152B1504388CFDF00FFB9998952BFFB4AF42A14F418529D89047244D771A478DBA3
    Function 6D197220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6D197248
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: f12dd5640a5e88f2f1e9aac1c61f17fcab839108716a589f4897929c02a2c964
    • Instruction ID: 6a27b29bcaed1972120ae345fd5e87750ec6d2333616ccec2bcb2514fcf0c6f8
    • Opcode Fuzzy Hash: f12dd5640a5e88f2f1e9aac1c61f17fcab839108716a589f4897929c02a2c964
    • Instruction Fuzzy Hash: 90E0C2B080C3089ED301AFA5C48521EFAE4BF89348F42C91DE1C84B249D7B88484CBA3
    Function 6D1965F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D1012A5), ref: 6D196709
    Strings
    • Unknown pseudo relocation protocol version %d., xrefs: 6D196864
    • Unknown pseudo relocation bit size %d., xrefs: 6D196799
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: 8571d998abf8ddaab13b96fbb3dfdef214874b94da856b1fd996d59e0bfde27d
    • Instruction ID: 711e09dccd7a45aad32e5df8d27e843c8882ede11019377986a5424ee3899e5e
    • Opcode Fuzzy Hash: 8571d998abf8ddaab13b96fbb3dfdef214874b94da856b1fd996d59e0bfde27d
    • Instruction Fuzzy Hash: 7961AF71A0430A8BCB04DF69C4C0669BBB5FF85358F55C52AE9589F30DD7B1A842CBE2
    Function 6D195BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: bsearchfprintffwrite
    • String ID: $
    • API String ID: 1110293247-3993045852
    • Opcode ID: b1bac0252c1308f437a85b4d7035c26f7955344e24f4720ed999ea61d4fbadc5
    • Instruction ID: e2d6de2bc04208769264faebe12d067583d007e4e4c95652e43b3f6458ae45a3
    • Opcode Fuzzy Hash: b1bac0252c1308f437a85b4d7035c26f7955344e24f4720ed999ea61d4fbadc5
    • Instruction Fuzzy Hash: 05011BB584D3008BDB00AF68D44826EFBE4BF49718F46891EE9C89B245E3F48540CB93
    Function 6D194E50 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: 2df755ba468b3382adc2ac811fc4a1194659b78938d304e212368cdd666b0ff5
    • Instruction ID: ac42abf6e580b4e822090e5db7f534348cec1b36d2bab6e9c98889fbcb6df005
    • Opcode Fuzzy Hash: 2df755ba468b3382adc2ac811fc4a1194659b78938d304e212368cdd666b0ff5
    • Instruction Fuzzy Hash: 1B21E3B5A083018BDB00DF29D5C872ABBE1BF98604F15C96DE8998F309D774D845CB92
    Function 6D196870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.2164868472.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true
    • Associated: 00000004.00000002.2164847211.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164936267.000000006D198000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164955817.000000006D199000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164975110.000000006D19A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2164993450.000000006D19F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165063833.000000006D248000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D24E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165086404.000000006D253000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165124511.000000006D266000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165144055.000000006D26D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165162033.000000006D26E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2165178436.000000006D271000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 29d9a2d130aab464f562b754971451a413e999f3fdee2574ba96551a78bd8447
    • Instruction ID: db223fe5a0500f068346c67c5144eb914d218f254f8dd78b63f735179a940ef7
    • Opcode Fuzzy Hash: 29d9a2d130aab464f562b754971451a413e999f3fdee2574ba96551a78bd8447
    • Instruction Fuzzy Hash: 3BF0A4B1A003498FDF007F7CC88DA2B7BB8EA55654B058528DD448B208E730A858CBF3

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:11
    Total number of Limit Nodes:1
    execution_graph 53080 6cd9cea0 53081 6cd9ceb9 53080->53081 53082 6cd9cec8 WriteFile 53080->53082 53081->53082 53083 6cdc5fb0 53084 6cdc5fc7 _beginthread 53083->53084 53085 6cdc5fe1 _errno 53084->53085 53086 6cdc6012 53084->53086 53087 6cdc5fe8 _errno 53085->53087 53088 6cdc6020 Sleep 53085->53088 53090 6cdc5ff9 fprintf abort 53087->53090 53088->53084 53089 6cdc6034 53088->53089 53089->53087 53090->53086

    Executed Functions

    Function 6CDC5FB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6CDC5FF9
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabortfprintf
    • String ID: runtime: failed to create new OS thread (%d)
    • API String ID: 1261927973-3231778263
    • Opcode ID: 5d8e6ed353ae4ff745bb76a4e747a61fc2710894b4147ead240d50a6d12b72db
    • Instruction ID: 51710bbe6ede8907c34c1a919de3f9e2575596e052718fff63c59d0d8bff5b87
    • Opcode Fuzzy Hash: 5d8e6ed353ae4ff745bb76a4e747a61fc2710894b4147ead240d50a6d12b72db
    • Instruction Fuzzy Hash: 84014BB5609714EFC7047F69C88952EBBB8FF86324F06491EE68583660D7309484EBA3
    Function 6CD9CEA0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 6cd9cea0-6cd9ceb7 9 6cd9ceb9-6cd9cec6 8->9 10 6cd9cec8-6cd9cee0 WriteFile 8->10 9->10
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: e08f86e8deea865d9282d1f004713ea87a7c4de83a9b4b683e9957aa4979e37b
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 08E0E575505600CFCB15DF18C2C1306BBE1EB88A00F0485A8DE098FB4AD734ED10CB92

    Non-executed Functions

    Function 6CDC6300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6CDC634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6CDC635F
    • GetCurrentProcess.KERNEL32 ref: 6CDC6368
    • TerminateProcess.KERNEL32 ref: 6CDC6379
    • abort.MSVCRT ref: 6CDC6382
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 9158432808b05b7128b3e588e2ab4d459260e46ef3432fb5dc4f90b8cd7b8ed7
    • Instruction ID: 2596bf608c96a3da7fda2920679130e449cd71507422cc3682fa2a275055cbf3
    • Opcode Fuzzy Hash: 9158432808b05b7128b3e588e2ab4d459260e46ef3432fb5dc4f90b8cd7b8ed7
    • Instruction Fuzzy Hash: B711D2B5B04641DFDB00FF69C14966EBBF4BB4A304F44892AEA88C7351E73499548F93
    Function 6CDC62FC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6CDC634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6CDC635F
    • GetCurrentProcess.KERNEL32 ref: 6CDC6368
    • TerminateProcess.KERNEL32 ref: 6CDC6379
    • abort.MSVCRT ref: 6CDC6382
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 4adaec6b7dd07bcfa70cbc87f485984f5b8bab0365e2060002daa096d824be76
    • Instruction ID: f5ff27466bef5d896b0b975756ac611b8c7a8e425ef9047b9f2108850291ce17
    • Opcode Fuzzy Hash: 4adaec6b7dd07bcfa70cbc87f485984f5b8bab0365e2060002daa096d824be76
    • Instruction Fuzzy Hash: 5D1102B6B00601DFDB00FF69C24A6697BF8BB06304F04992AEA4887391E7349914CF93
    Function 6CDC5E79 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to signal runtime initialization complete., xrefs: 6CDC5F2C
    • ;, xrefs: 6CDC5F18
    • unexpected cgo_bindm on Windows, xrefs: 6CDC5EA4
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabortfwrite$Event
    • String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
    • API String ID: 3057923235-924395932
    • Opcode ID: 1ab3232c9a8a20bbc01fa05383fa119b45853a5fcada573d64f1a1b7b1f51ba3
    • Instruction ID: a48059bc87c1df7e4b0e26478161773f3a6ab0bf014fe79daf7289b5900cf566
    • Opcode Fuzzy Hash: 1ab3232c9a8a20bbc01fa05383fa119b45853a5fcada573d64f1a1b7b1f51ba3
    • Instruction Fuzzy Hash: 6E11D6B2A04700EFDB00BF78C10A25EBBF4BB41304F51995DE99947650D775A158CFA3
    Function 6CDC64A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6CDC65C7
    • @, xrefs: 6CDC6578
    • VirtualProtect failed with code 0x%x, xrefs: 6CDC659A
    • Address %p has no image-section, xrefs: 6CDC65DB
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 41dc7e072422231d82c120bd4e8a93c0da8fe8c67089ce7042073af34fdf4ff4
    • Instruction ID: e825798fee62ee9f6a7a867f36c9f193524a2f5a6a57d21d70c8cc2658df0a7e
    • Opcode Fuzzy Hash: 41dc7e072422231d82c120bd4e8a93c0da8fe8c67089ce7042073af34fdf4ff4
    • Instruction Fuzzy Hash: B0417DB2B053019FC700EF69D48565AFBF4FB85314F158A2AE9588B724E730E416CBA3
    Function 6CD313E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 5a04d10614ad412df0d7c6917fccd71928883f91fae57304dc250fbf93b7f274
    • Instruction ID: 1be3e98eaed39044953c24246a73a86a0654a48a04784b46e193078a50ecd86d
    • Opcode Fuzzy Hash: 5a04d10614ad412df0d7c6917fccd71928883f91fae57304dc250fbf93b7f274
    • Instruction Fuzzy Hash: B3017CB2A093158BDB10BF789A0B35EBFF8FB42655F01452ED98987724D7309404DBA3
    Function 6CDC4AF0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: 6b91bd7b09ef163d6ebc531ea62014269a8752d15cc6fd5fb61f0326ad961137
    • Instruction ID: 5781e62abb1590e441fb29fc383aad2021d020916d67add0c03bfc65f5c41172
    • Opcode Fuzzy Hash: 6b91bd7b09ef163d6ebc531ea62014269a8752d15cc6fd5fb61f0326ad961137
    • Instruction Fuzzy Hash: B0517FB67083158FD700DF29D4802AAB7F9FFC8304F15892AE998D7620E775D9498B93
    Function 6CDC6060 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 6CDC606F
    • fwrite.MSVCRT ref: 6CDC60BD
    • abort.MSVCRT ref: 6CDC60C2
    • free.MSVCRT ref: 6CDC60E5
      • Part of subcall function 6CDC5FB0: _beginthread.MSVCRT ref: 6CDC5FD6
      • Part of subcall function 6CDC5FB0: _errno.MSVCRT ref: 6CDC5FE1
      • Part of subcall function 6CDC5FB0: _errno.MSVCRT ref: 6CDC5FE8
      • Part of subcall function 6CDC5FB0: fprintf.MSVCRT ref: 6CDC6008
      • Part of subcall function 6CDC5FB0: abort.MSVCRT ref: 6CDC600D
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
    • String ID: +$runtime/cgo: out of memory in thread_start
    • API String ID: 2633710936-1802439445
    • Opcode ID: 957d13d546c2027a67a78df37104e6cd363c4b51be1e9960d3ca673d54f7b6e9
    • Instruction ID: f9feb62a90c83c5ab7f3e5cbb6ba5f2d22ca15cee08e4e66686d6b09eb9b71e0
    • Opcode Fuzzy Hash: 957d13d546c2027a67a78df37104e6cd363c4b51be1e9960d3ca673d54f7b6e9
    • Instruction Fuzzy Hash: F621F4B5608700DFC700EF28C58595ABBF8FF89304F45899DE9888B726D3399845DBA3
    Function 6CDC5CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6CDC5CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CDC5D89), ref: 6CDC5CEB
    • fwrite.MSVCRT ref: 6CDC5D20
    • abort.MSVCRT ref: 6CDC5D25
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6CDC5D19
    • =, xrefs: 6CDC5D05
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: 3bc2579e03cb8b8292e3fd07f5bda622580eb4ce3b14bd55f5170d932dd9869f
    • Instruction ID: 78b3e1489ee762e80d7719e6886f277cac379c90c20bac766e4bde0c4ba44b3f
    • Opcode Fuzzy Hash: 3bc2579e03cb8b8292e3fd07f5bda622580eb4ce3b14bd55f5170d932dd9869f
    • Instruction Fuzzy Hash: 39F0ECB1604701EFE700BF68C50A31EBBF4BB41304F91895DD8988B690EB799158DFA3
    Function 6CD31020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CD312E0,?,?,?,?,?,?,6CD313A3), ref: 6CD31057
    • _amsg_exit.MSVCRT ref: 6CD31085
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: ae60ac57f1ec5186357b56e98282c30e8a3ab6ffad7d73f695d7946414af252c
    • Instruction ID: 98fb6fe66cbe685cdd779a944348c12f115bfd238430f187ca951b2514ecbe3c
    • Opcode Fuzzy Hash: ae60ac57f1ec5186357b56e98282c30e8a3ab6ffad7d73f695d7946414af252c
    • Instruction Fuzzy Hash: 2541A0B2708252CBE700BF29C58175A77F4EB83348F11552BE5888B760D739C484CB92
    Function 6CDC655C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32 ref: 6CDC652D
    • VirtualProtect.KERNEL32 ref: 6CDC6587
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CE753A8), ref: 6CDC6594
      • Part of subcall function 6CDC7220: fwrite.MSVCRT ref: 6CDC724F
      • Part of subcall function 6CDC7220: vfprintf.MSVCRT ref: 6CDC726F
      • Part of subcall function 6CDC7220: abort.MSVCRT ref: 6CDC7274
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$@
    • API String ID: 1616349570-2953866262
    • Opcode ID: 12320e92ba4332faa3563be1209108b976095a177ea3d6ce1d4db7d6354abae4
    • Instruction ID: e2d041c690192dab460832c96af57edd29f87ea240425a97fc7912d2f27f5994
    • Opcode Fuzzy Hash: 12320e92ba4332faa3563be1209108b976095a177ea3d6ce1d4db7d6354abae4
    • Instruction Fuzzy Hash: 162125B2A057018FD700EF38D58565AFBF4FF84318F158A2AE998C7664E334D506CB92
    Function 6CDC5B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessagefprintf
    • String ID: Erro: %s
    • API String ID: 659079672-2412703935
    • Opcode ID: 004e9b18708f8d23fa4ce6c6f9e4e93306e734c8d4e7d417a9044d81a9b67346
    • Instruction ID: 159d0d68ce0d7aef0c420e98ad52ab2d0def6fa5b2d94aede114686aaa7190d8
    • Opcode Fuzzy Hash: 004e9b18708f8d23fa4ce6c6f9e4e93306e734c8d4e7d417a9044d81a9b67346
    • Instruction Fuzzy Hash: 300192B0508301DFD700AF69C58931ABBF4BB88349F00891EE99897250D77582488F93
    Function 6CDC4D00 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6CDC4D5F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CDC5BEF), ref: 6CDC4D9A
    • malloc.MSVCRT ref: 6CDC4DC8
    • qsort.MSVCRT ref: 6CDC4E16
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: aa42bf1c9f9346b509aacbc7da9ed9702e67799189be435f5d6985e4191c03e7
    • Instruction ID: 37260b19272fc7ecd1f141da5de631cea691d70ec60074b0fe17e11cfea06d14
    • Opcode Fuzzy Hash: aa42bf1c9f9346b509aacbc7da9ed9702e67799189be435f5d6985e4191c03e7
    • Instruction Fuzzy Hash: 2E411775708301CBD710EF29D48062AB7F9FF88318F15896DE88987B24E774E859CB92
    Function 6CDC5850 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: 4ec1049c9acb587248345fe3a5190d37325bfce27278815a845d672b4c88da53
    • Instruction ID: 764ce8ef78b46ff68bd01ca374be82aede5ec31cb22aceed4c39b7bd4343d99f
    • Opcode Fuzzy Hash: 4ec1049c9acb587248345fe3a5190d37325bfce27278815a845d672b4c88da53
    • Instruction Fuzzy Hash: 95219370704204CBD700AF39C984A56B7F9BF89318F158929E5A9CB3A0FB35E819DB53
    Function 6CDC70C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: bfa2f5b1b715e27d88f91e59be0d2b3db99a1bf71d8a880947537bf3994ef456
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: 4F112170305201DFD7409F68C98075ABBE8FF45354F168A6AE498CB7A5DB74D844CB63
    Function 6CDC6250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6CDC6289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CD313B9), ref: 6CDC629A
    • GetCurrentThreadId.KERNEL32 ref: 6CDC62A2
    • GetTickCount.KERNEL32 ref: 6CDC62AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CD313B9), ref: 6CDC62B9
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: b2ecf51853cab091fb4fc165258bf5da4537dd638d9fef722bf6b841c21bef08
    • Instruction ID: 8d139ca5d371824d9df237d546dddb10212f3a26a6209e2ff82030b78dea03a9
    • Opcode Fuzzy Hash: b2ecf51853cab091fb4fc165258bf5da4537dd638d9fef722bf6b841c21bef08
    • Instruction Fuzzy Hash: 7A1188B1A093018BDB00EF78E48855BBBF8FB89265F040D3AE544C7750EA31D5598BC3
    Function 6CDC5DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6CDC5E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CDC45D9), ref: 6CDC5E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CDC45D9), ref: 6CDC5E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CDC45D9), ref: 6CDC5E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CDC45D9), ref: 6CDC5E50
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 75922b0d8ce841b8051db19f8f26cee0a89123a9f4c3bead347fd0e442aac46a
    • Instruction ID: 0bc929f35a619b34005bc6d4acc984a1c47980626264507a4b3ebd94f2069a16
    • Opcode Fuzzy Hash: 75922b0d8ce841b8051db19f8f26cee0a89123a9f4c3bead347fd0e442aac46a
    • Instruction Fuzzy Hash: A7015EB1708308DFDA00FF79998651ABBBCBF42210F51152ED99447250E731A468CFA3
    Function 6CDC7220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6CDC7248
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: 3e368d29fd6235dba170f8bfb9207bd07e00397162c013acdf3d635b57409e71
    • Instruction ID: 5490ba1d6d0d309987435d286ec78f8f6d59c67ce2e30ff0aa3ee150458eabb1
    • Opcode Fuzzy Hash: 3e368d29fd6235dba170f8bfb9207bd07e00397162c013acdf3d635b57409e71
    • Instruction Fuzzy Hash: A2E0C2B1208305AED300AF64C0863AFFAF8BF85348F02891CE0C847B61C77884889F63
    Function 6CDC65F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CD312A5), ref: 6CDC6709
    Strings
    • Unknown pseudo relocation bit size %d., xrefs: 6CDC6799
    • Unknown pseudo relocation protocol version %d., xrefs: 6CDC6864
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: 4518fda8b500330a336f3b98b4efd78a2706468a75ff3947297797213441e31d
    • Instruction ID: 713cccca35ef74806707dd0f66ee7454da4ec79f7c576e77bb1c2268797dbe8a
    • Opcode Fuzzy Hash: 4518fda8b500330a336f3b98b4efd78a2706468a75ff3947297797213441e31d
    • Instruction Fuzzy Hash: 0B61F371B05205DFCB10DF68C9C066DB7B9FF45318B64866AE848DBB64D330A813CBA2
    Function 6CDC5BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: bsearchfprintffwrite
    • String ID: $
    • API String ID: 1110293247-3993045852
    • Opcode ID: 01facff0d11c045cf291bde6d07595494506284b17e979a403dc901fc8253dc0
    • Instruction ID: f6d07dcce8cdb84e23c5457212e789dae815c006aa967f8a471b28d7ce85c797
    • Opcode Fuzzy Hash: 01facff0d11c045cf291bde6d07595494506284b17e979a403dc901fc8253dc0
    • Instruction Fuzzy Hash: 450117B5A09300DBD700AF28D54925AFBF8EF48318F51892EE8C897750E7748444DBA3
    Function 6CDC4E50 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: 788a4c5751c27256220bc6b1470eb7d5f6f6fa98083f4bcb3afc4ac62dfb1ec3
    • Instruction ID: fc21c5f3ba8b28433ac93a2cdf11098671e6977f700211b61db534440d97806d
    • Opcode Fuzzy Hash: 788a4c5751c27256220bc6b1470eb7d5f6f6fa98083f4bcb3afc4ac62dfb1ec3
    • Instruction Fuzzy Hash: 9921E3B5A05600CBDB04EF29D1C471ABBF9BF84208F16C96DE8888B719D734D845CB92
    Function 6CDC6870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2258750142.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 0000000D.00000002.2258654742.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259097841.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259211675.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259294990.000000006CDCA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259385537.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259709744.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2259785206.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260006323.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260075653.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260161616.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2260239381.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: c6a84817ff77ece384b649132b14b94d19e72e750fe297e19cbb6482d2cb043c
    • Instruction ID: ef716b656cd61acc4dd6ac4dedf01c8812ceb6bc1fb14595788e116ddecce702
    • Opcode Fuzzy Hash: c6a84817ff77ece384b649132b14b94d19e72e750fe297e19cbb6482d2cb043c
    • Instruction Fuzzy Hash: 49F08172B007048BDB007F7D88CA92ABBB8BF46254B050529DE4487315E730A41A8BE3

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:11
    Total number of Limit Nodes:1
    execution_graph 53080 6cd9cea0 53081 6cd9ceb9 53080->53081 53082 6cd9cec8 VirtualAlloc 53080->53082 53081->53082 53083 6cdc5fb0 53084 6cdc5fc7 _beginthread 53083->53084 53085 6cdc5fe1 _errno 53084->53085 53086 6cdc6012 53084->53086 53087 6cdc5fe8 _errno 53085->53087 53088 6cdc6020 Sleep 53085->53088 53090 6cdc5ff9 fprintf abort 53087->53090 53088->53084 53089 6cdc6034 53088->53089 53089->53087 53090->53086

    Executed Functions

    Function 6CDC5FB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6CDC5FF9
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabortfprintf
    • String ID: runtime: failed to create new OS thread (%d)
    • API String ID: 1261927973-3231778263
    • Opcode ID: 5d8e6ed353ae4ff745bb76a4e747a61fc2710894b4147ead240d50a6d12b72db
    • Instruction ID: 51710bbe6ede8907c34c1a919de3f9e2575596e052718fff63c59d0d8bff5b87
    • Opcode Fuzzy Hash: 5d8e6ed353ae4ff745bb76a4e747a61fc2710894b4147ead240d50a6d12b72db
    • Instruction Fuzzy Hash: 84014BB5609714EFC7047F69C88952EBBB8FF86324F06491EE68583660D7309484EBA3
    Function 6CD9CEA0 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 6cd9cea0-6cd9ceb7 9 6cd9ceb9-6cd9cec6 8->9 10 6cd9cec8-6cd9cee0 VirtualAlloc 8->10 9->10
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: e08f86e8deea865d9282d1f004713ea87a7c4de83a9b4b683e9957aa4979e37b
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 08E0E575505600CFCB15DF18C2C1306BBE1EB88A00F0485A8DE098FB4AD734ED10CB92

    Non-executed Functions

    Function 6CDC6300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6CDC634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6CDC635F
    • GetCurrentProcess.KERNEL32 ref: 6CDC6368
    • TerminateProcess.KERNEL32 ref: 6CDC6379
    • abort.MSVCRT ref: 6CDC6382
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 9158432808b05b7128b3e588e2ab4d459260e46ef3432fb5dc4f90b8cd7b8ed7
    • Instruction ID: 2596bf608c96a3da7fda2920679130e449cd71507422cc3682fa2a275055cbf3
    • Opcode Fuzzy Hash: 9158432808b05b7128b3e588e2ab4d459260e46ef3432fb5dc4f90b8cd7b8ed7
    • Instruction Fuzzy Hash: B711D2B5B04641DFDB00FF69C14966EBBF4BB4A304F44892AEA88C7351E73499548F93
    Function 6CDC62FC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6CDC634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6CDC635F
    • GetCurrentProcess.KERNEL32 ref: 6CDC6368
    • TerminateProcess.KERNEL32 ref: 6CDC6379
    • abort.MSVCRT ref: 6CDC6382
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 4adaec6b7dd07bcfa70cbc87f485984f5b8bab0365e2060002daa096d824be76
    • Instruction ID: f5ff27466bef5d896b0b975756ac611b8c7a8e425ef9047b9f2108850291ce17
    • Opcode Fuzzy Hash: 4adaec6b7dd07bcfa70cbc87f485984f5b8bab0365e2060002daa096d824be76
    • Instruction Fuzzy Hash: 5D1102B6B00601DFDB00FF69C24A6697BF8BB06304F04992AEA4887391E7349914CF93
    Function 6CDC5E79 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • ;, xrefs: 6CDC5F18
    • unexpected cgo_bindm on Windows, xrefs: 6CDC5EA4
    • runtime: failed to signal runtime initialization complete., xrefs: 6CDC5F2C
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabortfwrite$Event
    • String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
    • API String ID: 3057923235-924395932
    • Opcode ID: 1ab3232c9a8a20bbc01fa05383fa119b45853a5fcada573d64f1a1b7b1f51ba3
    • Instruction ID: a48059bc87c1df7e4b0e26478161773f3a6ab0bf014fe79daf7289b5900cf566
    • Opcode Fuzzy Hash: 1ab3232c9a8a20bbc01fa05383fa119b45853a5fcada573d64f1a1b7b1f51ba3
    • Instruction Fuzzy Hash: 6E11D6B2A04700EFDB00BF78C10A25EBBF4BB41304F51995DE99947650D775A158CFA3
    Function 6CDC64A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • Address %p has no image-section, xrefs: 6CDC65DB
    • @, xrefs: 6CDC6578
    • VirtualProtect failed with code 0x%x, xrefs: 6CDC659A
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6CDC65C7
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 41dc7e072422231d82c120bd4e8a93c0da8fe8c67089ce7042073af34fdf4ff4
    • Instruction ID: e825798fee62ee9f6a7a867f36c9f193524a2f5a6a57d21d70c8cc2658df0a7e
    • Opcode Fuzzy Hash: 41dc7e072422231d82c120bd4e8a93c0da8fe8c67089ce7042073af34fdf4ff4
    • Instruction Fuzzy Hash: B0417DB2B053019FC700EF69D48565AFBF4FB85314F158A2AE9588B724E730E416CBA3
    Function 6CD313E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 5a04d10614ad412df0d7c6917fccd71928883f91fae57304dc250fbf93b7f274
    • Instruction ID: 1be3e98eaed39044953c24246a73a86a0654a48a04784b46e193078a50ecd86d
    • Opcode Fuzzy Hash: 5a04d10614ad412df0d7c6917fccd71928883f91fae57304dc250fbf93b7f274
    • Instruction Fuzzy Hash: B3017CB2A093158BDB10BF789A0B35EBFF8FB42655F01452ED98987724D7309404DBA3
    Function 6CDC4AF0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: 6b91bd7b09ef163d6ebc531ea62014269a8752d15cc6fd5fb61f0326ad961137
    • Instruction ID: 5781e62abb1590e441fb29fc383aad2021d020916d67add0c03bfc65f5c41172
    • Opcode Fuzzy Hash: 6b91bd7b09ef163d6ebc531ea62014269a8752d15cc6fd5fb61f0326ad961137
    • Instruction Fuzzy Hash: B0517FB67083158FD700DF29D4802AAB7F9FFC8304F15892AE998D7620E775D9498B93
    Function 6CDC6060 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 6CDC606F
    • fwrite.MSVCRT ref: 6CDC60BD
    • abort.MSVCRT ref: 6CDC60C2
    • free.MSVCRT ref: 6CDC60E5
      • Part of subcall function 6CDC5FB0: _beginthread.MSVCRT ref: 6CDC5FD6
      • Part of subcall function 6CDC5FB0: _errno.MSVCRT ref: 6CDC5FE1
      • Part of subcall function 6CDC5FB0: _errno.MSVCRT ref: 6CDC5FE8
      • Part of subcall function 6CDC5FB0: fprintf.MSVCRT ref: 6CDC6008
      • Part of subcall function 6CDC5FB0: abort.MSVCRT ref: 6CDC600D
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
    • String ID: +$runtime/cgo: out of memory in thread_start
    • API String ID: 2633710936-1802439445
    • Opcode ID: 957d13d546c2027a67a78df37104e6cd363c4b51be1e9960d3ca673d54f7b6e9
    • Instruction ID: f9feb62a90c83c5ab7f3e5cbb6ba5f2d22ca15cee08e4e66686d6b09eb9b71e0
    • Opcode Fuzzy Hash: 957d13d546c2027a67a78df37104e6cd363c4b51be1e9960d3ca673d54f7b6e9
    • Instruction Fuzzy Hash: F621F4B5608700DFC700EF28C58595ABBF8FF89304F45899DE9888B726D3399845DBA3
    Function 6CDC5CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6CDC5CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CDC5D89), ref: 6CDC5CEB
    • fwrite.MSVCRT ref: 6CDC5D20
    • abort.MSVCRT ref: 6CDC5D25
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6CDC5D19
    • =, xrefs: 6CDC5D05
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: 3bc2579e03cb8b8292e3fd07f5bda622580eb4ce3b14bd55f5170d932dd9869f
    • Instruction ID: 78b3e1489ee762e80d7719e6886f277cac379c90c20bac766e4bde0c4ba44b3f
    • Opcode Fuzzy Hash: 3bc2579e03cb8b8292e3fd07f5bda622580eb4ce3b14bd55f5170d932dd9869f
    • Instruction Fuzzy Hash: 39F0ECB1604701EFE700BF68C50A31EBBF4BB41304F91895DD8988B690EB799158DFA3
    Function 6CD31020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CD312E0,?,?,?,?,?,?,6CD313A3), ref: 6CD31057
    • _amsg_exit.MSVCRT ref: 6CD31085
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: ae60ac57f1ec5186357b56e98282c30e8a3ab6ffad7d73f695d7946414af252c
    • Instruction ID: 98fb6fe66cbe685cdd779a944348c12f115bfd238430f187ca951b2514ecbe3c
    • Opcode Fuzzy Hash: ae60ac57f1ec5186357b56e98282c30e8a3ab6ffad7d73f695d7946414af252c
    • Instruction Fuzzy Hash: 2541A0B2708252CBE700BF29C58175A77F4EB83348F11552BE5888B760D739C484CB92
    Function 6CDC655C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32 ref: 6CDC652D
    • VirtualProtect.KERNEL32 ref: 6CDC6587
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CE753A8), ref: 6CDC6594
      • Part of subcall function 6CDC7220: fwrite.MSVCRT ref: 6CDC724F
      • Part of subcall function 6CDC7220: vfprintf.MSVCRT ref: 6CDC726F
      • Part of subcall function 6CDC7220: abort.MSVCRT ref: 6CDC7274
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$@
    • API String ID: 1616349570-2953866262
    • Opcode ID: 12320e92ba4332faa3563be1209108b976095a177ea3d6ce1d4db7d6354abae4
    • Instruction ID: e2d041c690192dab460832c96af57edd29f87ea240425a97fc7912d2f27f5994
    • Opcode Fuzzy Hash: 12320e92ba4332faa3563be1209108b976095a177ea3d6ce1d4db7d6354abae4
    • Instruction Fuzzy Hash: 162125B2A057018FD700EF38D58565AFBF4FF84318F158A2AE998C7664E334D506CB92
    Function 6CDC5B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessagefprintf
    • String ID: Erro: %s
    • API String ID: 659079672-2412703935
    • Opcode ID: 004e9b18708f8d23fa4ce6c6f9e4e93306e734c8d4e7d417a9044d81a9b67346
    • Instruction ID: 159d0d68ce0d7aef0c420e98ad52ab2d0def6fa5b2d94aede114686aaa7190d8
    • Opcode Fuzzy Hash: 004e9b18708f8d23fa4ce6c6f9e4e93306e734c8d4e7d417a9044d81a9b67346
    • Instruction Fuzzy Hash: 300192B0508301DFD700AF69C58931ABBF4BB88349F00891EE99897250D77582488F93
    Function 6CDC4D00 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6CDC4D5F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CDC5BEF), ref: 6CDC4D9A
    • malloc.MSVCRT ref: 6CDC4DC8
    • qsort.MSVCRT ref: 6CDC4E16
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: aa42bf1c9f9346b509aacbc7da9ed9702e67799189be435f5d6985e4191c03e7
    • Instruction ID: 37260b19272fc7ecd1f141da5de631cea691d70ec60074b0fe17e11cfea06d14
    • Opcode Fuzzy Hash: aa42bf1c9f9346b509aacbc7da9ed9702e67799189be435f5d6985e4191c03e7
    • Instruction Fuzzy Hash: 2E411775708301CBD710EF29D48062AB7F9FF88318F15896DE88987B24E774E859CB92
    Function 6CDC5850 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: 4ec1049c9acb587248345fe3a5190d37325bfce27278815a845d672b4c88da53
    • Instruction ID: 764ce8ef78b46ff68bd01ca374be82aede5ec31cb22aceed4c39b7bd4343d99f
    • Opcode Fuzzy Hash: 4ec1049c9acb587248345fe3a5190d37325bfce27278815a845d672b4c88da53
    • Instruction Fuzzy Hash: 95219370704204CBD700AF39C984A56B7F9BF89318F158929E5A9CB3A0FB35E819DB53
    Function 6CDC70C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: bfa2f5b1b715e27d88f91e59be0d2b3db99a1bf71d8a880947537bf3994ef456
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: 4F112170305201DFD7409F68C98075ABBE8FF45354F168A6AE498CB7A5DB74D844CB63
    Function 6CDC6250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6CDC6289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CD313B9), ref: 6CDC629A
    • GetCurrentThreadId.KERNEL32 ref: 6CDC62A2
    • GetTickCount.KERNEL32 ref: 6CDC62AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CD313B9), ref: 6CDC62B9
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: b2ecf51853cab091fb4fc165258bf5da4537dd638d9fef722bf6b841c21bef08
    • Instruction ID: 8d139ca5d371824d9df237d546dddb10212f3a26a6209e2ff82030b78dea03a9
    • Opcode Fuzzy Hash: b2ecf51853cab091fb4fc165258bf5da4537dd638d9fef722bf6b841c21bef08
    • Instruction Fuzzy Hash: 7A1188B1A093018BDB00EF78E48855BBBF8FB89265F040D3AE544C7750EA31D5598BC3
    Function 6CDC5DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6CDC5E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CDC45D9), ref: 6CDC5E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CDC45D9), ref: 6CDC5E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CDC45D9), ref: 6CDC5E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CDC45D9), ref: 6CDC5E50
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 75922b0d8ce841b8051db19f8f26cee0a89123a9f4c3bead347fd0e442aac46a
    • Instruction ID: 0bc929f35a619b34005bc6d4acc984a1c47980626264507a4b3ebd94f2069a16
    • Opcode Fuzzy Hash: 75922b0d8ce841b8051db19f8f26cee0a89123a9f4c3bead347fd0e442aac46a
    • Instruction Fuzzy Hash: A7015EB1708308DFDA00FF79998651ABBBCBF42210F51152ED99447250E731A468CFA3
    Function 6CDC7220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6CDC7248
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: 3e368d29fd6235dba170f8bfb9207bd07e00397162c013acdf3d635b57409e71
    • Instruction ID: 5490ba1d6d0d309987435d286ec78f8f6d59c67ce2e30ff0aa3ee150458eabb1
    • Opcode Fuzzy Hash: 3e368d29fd6235dba170f8bfb9207bd07e00397162c013acdf3d635b57409e71
    • Instruction Fuzzy Hash: A2E0C2B1208305AED300AF64C0863AFFAF8BF85348F02891CE0C847B61C77884889F63
    Function 6CDC65F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CD312A5), ref: 6CDC6709
    Strings
    • Unknown pseudo relocation protocol version %d., xrefs: 6CDC6864
    • Unknown pseudo relocation bit size %d., xrefs: 6CDC6799
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: 4518fda8b500330a336f3b98b4efd78a2706468a75ff3947297797213441e31d
    • Instruction ID: 713cccca35ef74806707dd0f66ee7454da4ec79f7c576e77bb1c2268797dbe8a
    • Opcode Fuzzy Hash: 4518fda8b500330a336f3b98b4efd78a2706468a75ff3947297797213441e31d
    • Instruction Fuzzy Hash: 0B61F371B05205DFCB10DF68C9C066DB7B9FF45318B64866AE848DBB64D330A813CBA2
    Function 6CDC5BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: bsearchfprintffwrite
    • String ID: $
    • API String ID: 1110293247-3993045852
    • Opcode ID: 01facff0d11c045cf291bde6d07595494506284b17e979a403dc901fc8253dc0
    • Instruction ID: f6d07dcce8cdb84e23c5457212e789dae815c006aa967f8a471b28d7ce85c797
    • Opcode Fuzzy Hash: 01facff0d11c045cf291bde6d07595494506284b17e979a403dc901fc8253dc0
    • Instruction Fuzzy Hash: 450117B5A09300DBD700AF28D54925AFBF8EF48318F51892EE8C897750E7748444DBA3
    Function 6CDC4E50 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: 788a4c5751c27256220bc6b1470eb7d5f6f6fa98083f4bcb3afc4ac62dfb1ec3
    • Instruction ID: fc21c5f3ba8b28433ac93a2cdf11098671e6977f700211b61db534440d97806d
    • Opcode Fuzzy Hash: 788a4c5751c27256220bc6b1470eb7d5f6f6fa98083f4bcb3afc4ac62dfb1ec3
    • Instruction Fuzzy Hash: 9921E3B5A05600CBDB04EF29D1C471ABBF9BF84208F16C96DE8888B719D734D845CB92
    Function 6CDC6870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2257297893.000000006CD31000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD30000, based on PE: true
    • Associated: 00000011.00000002.2257221796.000000006CD30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257702450.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257798940.000000006CDC9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2257910588.000000006CDCD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258013550.000000006CDCF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258399599.000000006CE78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE7E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258511182.000000006CE83000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258716820.000000006CE96000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258804963.000000006CE9D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2258975920.000000006CE9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2259066490.000000006CEA1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6cd30000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: c6a84817ff77ece384b649132b14b94d19e72e750fe297e19cbb6482d2cb043c
    • Instruction ID: ef716b656cd61acc4dd6ac4dedf01c8812ceb6bc1fb14595788e116ddecce702
    • Opcode Fuzzy Hash: c6a84817ff77ece384b649132b14b94d19e72e750fe297e19cbb6482d2cb043c
    • Instruction Fuzzy Hash: 49F08172B007048BDB007F7D88CA92ABBB8BF46254B050529DE4487315E730A41A8BE3