Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HM6fo6Fz5H.dll

Overview

General Information

Sample name:HM6fo6Fz5H.dll
renamed because original name is a hash value
Original sample name:94190206516c7abb012c86153f5b26cb9854fccc69d457f40421361c22ff6032.dll
Analysis ID:1544807
MD5:b5acfda8a748d117f127765c8abe7ff0
SHA1:1252d0ce52684b957636262978f3d701b139ae5b
SHA256:94190206516c7abb012c86153f5b26cb9854fccc69d457f40421361c22ff6032
Tags:2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 8060 cmdline: loaddll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8140 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 6828 cmdline: rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 6080 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 840 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 8160 cmdline: rundll32.exe C:\Users\user\Desktop\HM6fo6Fz5H.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 5868 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8160 -s 852 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7048 cmdline: rundll32.exe C:\Users\user\Desktop\HM6fo6Fz5H.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7628 cmdline: rundll32.exe C:\Users\user\Desktop\HM6fo6Fz5H.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5612 cmdline: rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 6060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 824 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7584 cmdline: rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7780 cmdline: rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 892 cmdline: rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2112 cmdline: rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SpellSpell MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7400 cmdline: rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SpellInit MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8176 cmdline: rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SpellFree MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6444 cmdline: rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1704 cmdline: rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8152 cmdline: rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability

Bitcoin Miner

barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D371830 9_2_6D371830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFD1830 18_2_6CFD1830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFD1830 22_2_6CFD1830
Source: HM6fo6Fz5H.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: HM6fo6Fz5H.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax9_2_6D342CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax9_2_6D342CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx9_2_6D35CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh9_2_6D369030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh9_2_6D36A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax18_2_6CFA2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax18_2_6CFA2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx18_2_6CFBCEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh18_2_6CFC9030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh18_2_6CFCA360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax22_2_6CFA2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax22_2_6CFA2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx22_2_6CFBCEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh22_2_6CFC9030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh22_2_6CFCA360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D371A70 NtCreateWaitCompletionPacket,9_2_6D371A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D372A90 NtCreateWaitCompletionPacket,9_2_6D372A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D371570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,9_2_6D371570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3711F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,9_2_6D3711F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFD2A90 NtCreateWaitCompletionPacket,18_2_6CFD2A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFD1A70 NtCreateWaitCompletionPacket,18_2_6CFD1A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFD1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,18_2_6CFD1570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFD11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,18_2_6CFD11F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFD2A90 NtCreateWaitCompletionPacket,22_2_6CFD2A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFD1A70 NtCreateWaitCompletionPacket,22_2_6CFD1A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFD1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,22_2_6CFD1570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFD11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,22_2_6CFD11F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3C4D209_2_6D3C4D20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D36AD509_2_6D36AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D39BC209_2_6D39BC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3C6C209_2_6D3C6C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D342CA69_2_6D342CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D342CA09_2_6D342CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3D4F309_2_6D3D4F30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D37CF909_2_6D37CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3D2E709_2_6D3D2E70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D34BE909_2_6D34BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3BCEF09_2_6D3BCEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D395ED09_2_6D395ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3559F09_2_6D3559F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3C59D09_2_6D3C59D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D36D9C59_2_6D36D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3AA8729_2_6D3AA872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D36BB109_2_6D36BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D34FBC09_2_6D34FBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D36CA309_2_6D36CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D350AF09_2_6D350AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3985709_2_6D398570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3C25609_2_6D3C2560
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3C95A09_2_6D3C95A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3634009_2_6D363400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3864709_2_6D386470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3614409_2_6D361440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3BE7409_2_6D3BE740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3C67409_2_6D3C6740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3666309_2_6D366630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D39D6E09_2_6D39D6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D36C6D09_2_6D36C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3760109_2_6D376010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D36D0409_2_6D36D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3580A09_2_6D3580A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D36C0809_2_6D36C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3490F09_2_6D3490F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3A332F9_2_6D3A332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D37A3209_2_6D37A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3693F09_2_6D3693F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3D32309_2_6D3D3230
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D37E2409_2_6D37E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3432A09_2_6D3432A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3A72809_2_6D3A7280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D36B2D09_2_6D36B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6D024D2018_2_6D024D20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFA2CA018_2_6CFA2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFA2CA618_2_6CFA2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFFBC2018_2_6CFFBC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6D026C2018_2_6D026C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFCAD5018_2_6CFCAD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFF5ED018_2_6CFF5ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6D034F3018_2_6D034F30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFABE9018_2_6CFABE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFDCF9018_2_6CFDCF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6D032E7018_2_6D032E70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6D01CEF018_2_6D01CEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6D0259D018_2_6D0259D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFB59F018_2_6CFB59F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFCD9C518_2_6CFCD9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6D00A87218_2_6D00A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFB0AF018_2_6CFB0AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFCCA3018_2_6CFCCA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFAFBC018_2_6CFAFBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFCBB1018_2_6CFCBB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6D02256018_2_6D022560
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFE647018_2_6CFE6470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6D0295A018_2_6D0295A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFC144018_2_6CFC1440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFC340018_2_6CFC3400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFF857018_2_6CFF8570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFFD6E018_2_6CFFD6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFCC6D018_2_6CFCC6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6D01E74018_2_6D01E740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6D02674018_2_6D026740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFC663018_2_6CFC6630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFA90F018_2_6CFA90F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFB80A018_2_6CFB80A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFCC08018_2_6CFCC080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFCD04018_2_6CFCD040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFD601018_2_6CFD6010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFCB2D018_2_6CFCB2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6D00332F18_2_6D00332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFA32A018_2_6CFA32A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFDE24018_2_6CFDE240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFC93F018_2_6CFC93F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6D03323018_2_6D033230
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6D00728018_2_6D007280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6CFDA32018_2_6CFDA320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6D024D2022_2_6D024D20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFA2CA022_2_6CFA2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFA2CA622_2_6CFA2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFFBC2022_2_6CFFBC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6D026C2022_2_6D026C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFCAD5022_2_6CFCAD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFF5ED022_2_6CFF5ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6D034F3022_2_6D034F30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFABE9022_2_6CFABE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFDCF9022_2_6CFDCF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6D032E7022_2_6D032E70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6D01CEF022_2_6D01CEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6D0259D022_2_6D0259D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFB59F022_2_6CFB59F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFCD9C522_2_6CFCD9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6D00A87222_2_6D00A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFB0AF022_2_6CFB0AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFCCA3022_2_6CFCCA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFAFBC022_2_6CFAFBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFCBB1022_2_6CFCBB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6D02256022_2_6D022560
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFE647022_2_6CFE6470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6D0295A022_2_6D0295A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFC144022_2_6CFC1440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFC340022_2_6CFC3400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFF857022_2_6CFF8570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFFD6E022_2_6CFFD6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFCC6D022_2_6CFCC6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6D01E74022_2_6D01E740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6D02674022_2_6D026740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFC663022_2_6CFC6630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFA90F022_2_6CFA90F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFB80A022_2_6CFB80A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFCC08022_2_6CFCC080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFCD04022_2_6CFCD040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFD601022_2_6CFD6010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFCB2D022_2_6CFCB2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6D00332F22_2_6D00332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFA32A022_2_6CFA32A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFDE24022_2_6CFDE240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFC93F022_2_6CFC93F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6D03323022_2_6D033230
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6D00728022_2_6D007280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6CFDA32022_2_6CFDA320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D006A90 appears 962 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CFA2C30 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D3A6A90 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CFD7410 appears 1386 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CFD5080 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D377410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D005740 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CFD3B30 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 840
Source: HM6fo6Fz5H.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engineClassification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3D5B30 GetLastError,FormatMessageA,fprintf,LocalFree,9_2_6D3D5B30
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\41f66fb5-379b-4989-b4e0-9733f1975541Jump to behavior
Source: HM6fo6Fz5H.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HM6fo6Fz5H.dll,BarCreate
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HM6fo6Fz5H.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 840
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8160 -s 852
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HM6fo6Fz5H.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HM6fo6Fz5H.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 824
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HM6fo6Fz5H.dll,BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HM6fo6Fz5H.dll,BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HM6fo6Fz5H.dll,BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",_cgo_dummy_exportJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SpellSpellJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SpellInitJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SpellFreeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SignalInitializeCrashReportingJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",GetInstallDetailsPayloadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarRecognizeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: HM6fo6Fz5H.dllStatic PE information: Image base 0x6d8c0000 > 0x60000000
Source: HM6fo6Fz5H.dllStatic file information: File size 1368576 > 1048576
Source: HM6fo6Fz5H.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3413E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,9_2_6D3413E0
Source: HM6fo6Fz5H.dllStatic PE information: real checksum: 0x15674c should be: 0x155db1
Source: HM6fo6Fz5H.dllStatic PE information: section name: .eh_fram
Source: C:\Windows\System32\loaddll32.exeCode function: 5_2_01C3D7BF push ecx; retf 5_2_01C3D7C8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3B509D pushad ; ret 9_2_6D3B509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3B5094 pushad ; ret 9_2_6D3B5095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0510282D push eax; iretd 16_2_0510282E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6D015094 pushad ; ret 18_2_6D015095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6D01509D pushad ; ret 18_2_6D01509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04C3D285 push 5EA0C0B3h; iretd 19_2_04C3D2A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04C3AF34 push eax; retf 19_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04C3DD3A push esp; ret 19_2_04C3DD3E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_0443AF62 push eax; retf 20_2_0443AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_0443CD40 push esi; retf 20_2_0443CD53
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_0443AF34 push eax; retf 20_2_0443AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6D015094 pushad ; ret 22_2_6D015095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6D01509D pushad ; ret 22_2_6D01509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0483C388 push 12969CE4h; retf 24_2_0483C397
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0483C357 push cs; retf 24_2_0483C361
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0483AF34 push eax; retf 24_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0483AF34 push eax; retf 25_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_0483AF34 push eax; retf 26_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_048800BF push esi; ret 26_2_048803E6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_048803D3 push esi; ret 26_2_048803E6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_048803F5 push esi; ret 26_2_048803E6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 28_2_0483C394 push cs; ret 28_2_0483C39A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 28_2_0483AF34 push eax; retf 28_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 29_2_0503AF34 push eax; retf 29_2_0503AF39
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3AC0C0 rdtscp 9_2_6D3AC0C0
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 0.9 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3AC0C0 rdtscp 9_2_6D3AC0C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3413E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,9_2_6D3413E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3D4F30 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,memset,IsBadReadPtr,realloc,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,memcpy,SetLastError,SetLastError,SetLastError,SetLastError,9_2_6D3D4F30
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3D6300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,9_2_6D3D6300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6D036300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,18_2_6D036300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_6D0362FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,18_2_6D0362FC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6D036300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,22_2_6D036300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6D0362FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,22_2_6D0362FC
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D3D6250 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,9_2_6D3D6250
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6D371C90 RtlGetVersion,RtlGetCurrentPeb,9_2_6D371C90

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		11
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory3
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS3
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544807 Sample: HM6fo6Fz5H.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->29 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
HM6fo6Fz5H.dll5%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1544807
Start date and time:2024-10-29 19:12:40 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 57s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:34
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:HM6fo6Fz5H.dll
renamed because original name is a hash value
Original Sample Name:94190206516c7abb012c86153f5b26cb9854fccc69d457f40421361c22ff6032.dll
Detection:MAL
Classification:mal48.mine.winDLL@35/0@0/0
EGA Information:
  • Successful, ratio: 20%
HCA Information:
  • Successful, ratio: 56%
  • Number of executed functions: 5
  • Number of non-executed functions: 111
Cookbook Comments:
  • Found application associated with file extension: .dll

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target loaddll32.exe, PID 8060 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 1704 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 2112 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6444 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6828 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7048 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7400 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7584 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7628 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7780 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 8152 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 8176 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • VT rate limit hit for: HM6fo6Fz5H.dll

Simulations

Behavior and APIs

TimeTypeDescription
14:13:41API Interceptor1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):6.2721621538761605
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:HM6fo6Fz5H.dll
File size:1'368'576 bytes
MD5:b5acfda8a748d117f127765c8abe7ff0
SHA1:1252d0ce52684b957636262978f3d701b139ae5b
SHA256:94190206516c7abb012c86153f5b26cb9854fccc69d457f40421361c22ff6032
SHA512:33e16c9be935d74b920b10f4363055f879b08476d99911e2214720ff5700c31c91e1e1ed36248857ae6e0255de7548ed80dc72fcb8dfd27870e0e821b0b3b6d0
SSDEEP:24576:vmNRjTFknfLRI48fs0pLUJtZZ5lVMeMiZXQgwhe02nMnh:vaB7oTO5kk
TLSH:83552900FD8784F1E4032632856B62AF2325AD1A5F31DBC7FB44BA79FA776D50932285
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....d.......H.................m................................Lg....@... .........................-..

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x6d8c1380
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x6d8c0000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:0x6d9563e0, 0x6d956390
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:47d9e8363ec498a9360ee0a7da269805

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [6DA2C730h], 00000000h
mov edx, dword ptr [esp+24h]
cmp edx, 01h
je 00007F047C8F556Ch
mov ecx, dword ptr [esp+28h]
mov eax, dword ptr [esp+20h]
call 00007F047C8F53D2h
add esp, 1Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
mov dword ptr [esp+0Ch], edx
call 00007F047C98A3ECh
mov edx, dword ptr [esp+0Ch]
jmp 00007F047C8F5529h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 6DA08000h
mov dword ptr [esp+04h], eax
call 00007F047C98B23Eh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 6D95F000h
call dword ptr [6DA2E21Ch]
sub esp, 04h
test eax, eax
je 00007F047C8F55C5h
mov ebx, eax
mov dword ptr [esp], 6D95F000h
call dword ptr [6DA2E264h]
mov edi, dword ptr [6DA2E224h]
sub esp, 04h
mov dword ptr [6DA2C764h], eax
mov dword ptr [esp+04h], 6D95F013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 6D95F029h
mov dword ptr [esp], ebx
call edi
mov dword ptr [6D958000h], eax
sub esp, 08h
test esi, esi
je 00007F047C8F5563h
mov dword ptr [esp+00h], 00000000h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x16d0000x12d.edata
IMAGE_DIRECTORY_ENTRY_IMPORT0x16e0000xb78.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1710000x868c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x144fb00x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x16e1cc0x190.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x962a80x964007f7828b503c4283586dbe58f955bcc27False0.46981268198835274data6.28215682222943IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x980000x67c80x6800492f1e8f80611978bd103156c7d34a3fFalse0.42044771634615385data4.4442151517040545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0x9f0000xa63800xa6400b19ba9ec621497d559c7bab644ffd0e0False0.43179041353383457data5.595992973175169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram0x1460000x12740x140085e22b3e84813337ea1a67b904c6bbcdFalse0.3369140625data4.565839626312234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss0x1480000x2477c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata0x16d0000x12d0x20067859e1c9d81f1d2bdf6b531a2016f52False0.44921875data3.400613123216997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata0x16e0000xb780xc00cb8eb4a241279d6fed66c3ea8ecac795False0.3961588541666667data5.12056831676781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT0x16f0000x2c0x200db151290603a2662b590a75b7e0b0988False0.0546875data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0x1700000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x1710000x868c0x880009567d1ad9f53e5b80892bb2d741d864False0.6669634650735294data6.630677301160633IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllAddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetLastError, GetModuleHandleA, GetNativeSystemInfo, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadLocale, GetTickCount, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, PostQueuedCompletionStatus, QueryPerformanceCounter, RaiseFailFastException, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TerminateProcess, TlsAlloc, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WriteConsoleW, WriteFile, lstrlenA
msvcrt.dll_amsg_exit, _beginthread, _errno, _initterm, _iob, _lock, _unlock, _wcsnicmp, abort, bsearch, calloc, fprintf, free, fwrite, malloc, mbstowcs, memcpy, memset, qsort, realloc, strcmp, strlen, strncmp, strtol, vfprintf, wcstombs

Exports

NameOrdinalAddress
BarCreate10x6d9545d0
BarDestroy20x6d954850
BarFreeRec30x6d954800
BarRecognize40x6d9547b0
GetInstallDetailsPayload50x6d954710
SignalInitializeCrashReporting60x6d954760
SpellFree70x6d954620
SpellInit80x6d954670
SpellSpell90x6d9546c0
_cgo_dummy_export100x6da2c768

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:5
Start time:14:13:32
Start date:29/10/2024
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll"
Imagebase:0xf70000
File size:126'464 bytes
MD5 hash:51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:6
Start time:14:13:32
Start date:29/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff620390000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:8
Start time:14:13:32
Start date:29/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",#1
Imagebase:0xd70000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:14:13:32
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\HM6fo6Fz5H.dll,BarCreate
Imagebase:0x700000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:10
Start time:14:13:32
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",#1
Imagebase:0x700000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:14
Start time:14:13:32
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 840
Imagebase:0xde0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:15
Start time:14:13:32
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8160 -s 852
Imagebase:0xde0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:16
Start time:14:13:35
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\HM6fo6Fz5H.dll,BarDestroy
Imagebase:0x700000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:17
Start time:14:13:38
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\HM6fo6Fz5H.dll,BarFreeRec
Imagebase:0x700000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:18
Start time:14:13:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarCreate
Imagebase:0x700000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:19
Start time:14:13:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarDestroy
Imagebase:0x700000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:20
Start time:14:13:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarFreeRec
Imagebase:0x700000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:22
Start time:14:13:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",_cgo_dummy_export
Imagebase:0x700000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:23
Start time:14:13:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 824
Imagebase:0xde0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:24
Start time:14:13:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SpellSpell
Imagebase:0x700000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:25
Start time:14:13:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SpellInit
Imagebase:0x700000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:26
Start time:14:13:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SpellFree
Imagebase:0x700000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:27
Start time:14:13:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",SignalInitializeCrashReporting
Imagebase:0x700000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:28
Start time:14:13:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",GetInstallDetailsPayload
Imagebase:0x700000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:29
Start time:14:13:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\HM6fo6Fz5H.dll",BarRecognize
Imagebase:0x700000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:3
    Total number of Limit Nodes:0
    execution_graph 52241 6d3acea0 52242 6d3acec8 VirtualAlloc 52241->52242 52243 6d3aceb9 52241->52243 52243->52242

    Executed Functions

    Function 6D3ACEA0 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 6d3acea0-6d3aceb7 1 6d3acec8-6d3acee0 VirtualAlloc 0->1 2 6d3aceb9-6d3acec6 0->2 2->1
    APIs
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: 1c5afcf0841e4765415af609eedd89bd587f9ebbc6e48f1bb3cc5233dbae76bd
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 18E0E575505640CFCB15DF18C2C5716BBE1EB48A00F0485A8DE098F74AD734ED10CBD2

    Non-executed Functions

    Function 6D3D4F30 Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 564memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 297 6d3d4f30-6d3d4f42 298 6d3d4f48-6d3d4f54 297->298 299 6d3d5350-6d3d536e SetLastError 297->299 300 6d3d4f5a-6d3d4f71 298->300 301 6d3d5330-6d3d533f SetLastError 298->301 300->299 303 6d3d4f77-6d3d4f88 300->303 302 6d3d5342-6d3d534e 301->302 303->301 304 6d3d4f8e-6d3d4f98 303->304 304->301 305 6d3d4f9e-6d3d4fa7 304->305 305->301 306 6d3d4fad-6d3d4fbb 305->306 307 6d3d4fc1-6d3d4fc3 306->307 308 6d3d5710 306->308 309 6d3d4fc5-6d3d4fe3 307->309 311 6d3d5720-6d3d5724 308->311 309->309 310 6d3d4fe5-6d3d500f GetNativeSystemInfo 309->310 310->301 312 6d3d5015-6d3d5047 310->312 313 6d3d53d0-6d3d53e6 call 6d3d4e50 311->313 317 6d3d504d-6d3d5073 GetProcessHeap HeapAlloc 312->317 318 6d3d5370-6d3d53a3 312->318 319 6d3d5079-6d3d50e4 317->319 320 6d3d5731-6d3d576a SetLastError 317->320 318->317 324 6d3d53a9-6d3d53bb SetLastError 318->324 322 6d3d50ea-6d3d515c memcpy 319->322 323 6d3d53c0-6d3d53cd SetLastError 319->323 320->302 327 6d3d51ea-6d3d51f5 322->327 328 6d3d5162-6d3d5164 322->328 323->313 324->302 329 6d3d51fb-6d3d520a 327->329 330 6d3d5660-6d3d566a 327->330 331 6d3d5166-6d3d516b 328->331 332 6d3d5210-6d3d521e 329->332 333 6d3d5472-6d3d549a 329->333 334 6d3d566c-6d3d5680 330->334 335 6d3d56eb 330->335 336 6d3d5171-6d3d517a 331->336 337 6d3d53f0-6d3d53fc 331->337 343 6d3d5220-6d3d523a IsBadReadPtr 332->343 338 6d3d549c-6d3d549f 333->338 339 6d3d54b0-6d3d54c8 333->339 344 6d3d56e6 334->344 345 6d3d5682-6d3d568e 334->345 350 6d3d56f3-6d3d56fa 335->350 340 6d3d517c-6d3d51a8 336->340 341 6d3d51ce-6d3d51dc 336->341 337->323 342 6d3d53fe-6d3d5426 337->342 346 6d3d56ff-6d3d5704 338->346 347 6d3d54a5-6d3d54a8 338->347 348 6d3d54ce-6d3d54e6 339->348 349 6d3d57a6-6d3d57aa 339->349 340->313 363 6d3d51ae-6d3d51c9 memset 340->363 341->331 351 6d3d51de-6d3d51e6 341->351 342->313 365 6d3d5428-6d3d5452 memcpy 342->365 352 6d3d5470 343->352 353 6d3d5240-6d3d5249 343->353 344->335 354 6d3d5690-6d3d569b 345->354 346->339 347->339 355 6d3d54aa-6d3d54af 347->355 357 6d3d5541-6d3d554d 348->357 364 6d3d57b3-6d3d57c3 SetLastError 349->364 350->302 351->327 352->333 353->352 359 6d3d524f-6d3d5264 353->359 360 6d3d569d-6d3d569f 354->360 361 6d3d56d2-6d3d56dc 354->361 355->339 366 6d3d554f-6d3d5555 357->366 367 6d3d555a-6d3d555e 357->367 381 6d3d576f-6d3d577f SetLastError 359->381 382 6d3d526a-6d3d5285 realloc 359->382 368 6d3d56a0-6d3d56ad 360->368 361->354 362 6d3d56de-6d3d56e2 361->362 362->344 363->341 364->313 380 6d3d5460-6d3d5465 365->380 369 6d3d5557 366->369 370 6d3d55a0-6d3d55a6 366->370 374 6d3d556a-6d3d557b 367->374 375 6d3d5560-6d3d5568 367->375 372 6d3d56af-6d3d56c0 368->372 373 6d3d56c3-6d3d56d0 368->373 369->367 370->367 379 6d3d55a8-6d3d55ab 370->379 372->373 373->361 373->368 377 6d3d557d-6d3d5583 374->377 378 6d3d5585 374->378 375->374 376 6d3d54f0-6d3d54ff call 6d3d49e0 375->376 376->311 394 6d3d5505-6d3d5514 376->394 377->378 383 6d3d558a-6d3d5596 377->383 378->383 379->367 380->343 381->313 385 6d3d528b-6d3d52b5 382->385 386 6d3d5784-6d3d57a1 SetLastError 382->386 389 6d3d5518-6d3d5530 383->389 387 6d3d52e8-6d3d52f4 385->387 388 6d3d52b7 385->388 386->313 392 6d3d52f6-6d3d5307 387->392 393 6d3d52c0-6d3d52d6 387->393 388->380 395 6d3d55b0-6d3d55c9 call 6d3d49e0 389->395 396 6d3d5532-6d3d553d 389->396 401 6d3d5309-6d3d5326 SetLastError 392->401 402 6d3d52d8-6d3d52e2 392->402 393->401 393->402 394->389 395->313 403 6d3d55cf-6d3d55d9 395->403 396->357 401->313 402->380 402->387 404 6d3d55db-6d3d55e4 403->404 405 6d3d5613-6d3d5618 403->405 404->405 408 6d3d55e6-6d3d55ea 404->408 405->350 406 6d3d561e-6d3d5629 405->406 409 6d3d562f-6d3d5649 406->409 410 6d3d5729-6d3d572c 406->410 408->405 411 6d3d55ec 408->411 409->364 414 6d3d564f-6d3d5656 409->414 410->302 412 6d3d55f0-6d3d560f 411->412 416 6d3d5611 412->416 414->302 416->405
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID: ErrorHeapLast$AllocInfoNativeProcessReadSystemmemcpymemsetrealloc
    • String ID: ?$@
    • API String ID: 2257136212-1463999369
    • Opcode ID: f292641d58e0ab0ed748b5297c4541b0872c654c35686f4908b4f6933ab9e1fb
    • Instruction ID: b64f35ab2e82ca08e76f59fae758424b2d683bdceafeb30c8e8d62d0a787f6b2
    • Opcode Fuzzy Hash: f292641d58e0ab0ed748b5297c4541b0872c654c35686f4908b4f6933ab9e1fb
    • Instruction Fuzzy Hash: B842FFB6A087028FD750DF29C580A6ABBF1FF89345F44892DE99987300E775E844CF82
    Function 6D3559F0 Relevance: 18.5, Strings: 14, Instructions: 1019COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1107 6d3559f0-6d355a05 1108 6d356c61-6d356c66 call 6d3aae50 1107->1108 1109 6d355a0b-6d355a31 call 6d3b0980 1107->1109 1108->1107 1114 6d355a33-6d355a38 1109->1114 1115 6d355a3a-6d355a3d 1109->1115 1116 6d355a40-6d355aa7 call 6d3b09b0 call 6d3acff0 1114->1116 1115->1116 1121 6d355ab3-6d355b83 call 6d379e30 call 6d3aad60 * 2 call 6d379a20 1116->1121 1122 6d355aa9-6d355ab1 call 6d3ac260 1116->1122 1133 6d355b85-6d355b89 1121->1133 1134 6d355b8b-6d355b93 call 6d399ba0 1121->1134 1122->1121 1135 6d355b97-6d355b99 1133->1135 1134->1135 1138 6d355bcf-6d355be5 1135->1138 1139 6d355b9b-6d355bca call 6d39a140 call 6d399cd0 1135->1139 1141 6d355be7-6d355bef call 6d3ac260 1138->1141 1142 6d355bf1-6d355c00 1138->1142 1139->1138 1141->1142 1145 6d355c06-6d355f1c call 6d3b09b0 call 6d3aad60 call 6d3acff0 call 6d3ad050 call 6d3b09d0 * 2 call 6d36fc30 call 6d39f810 * 2 call 6d3b07f0 * 3 1142->1145 1146 6d356c4a-6d356c60 call 6d3a6a90 1142->1146 1175 6d355f24-6d355fc2 call 6d34a4e0 call 6d37ed60 call 6d34a700 call 6d361f00 call 6d3585c0 call 6d36ce30 call 6d3629f0 1145->1175 1176 6d355f1e 1145->1176 1146->1108 1191 6d355fc4-6d355fc6 1175->1191 1192 6d355fd0-6d355fd2 1175->1192 1176->1175 1193 6d356c34-6d356c45 call 6d3a6a90 1191->1193 1194 6d355fcc-6d355fce 1191->1194 1195 6d356c1e-6d356c2f call 6d3a6a90 1192->1195 1196 6d355fd8-6d356095 call 6d3ac476 call 6d3ac94a call 6d3aad60 call 6d36d3f0 call 6d365470 call 6d3aad60 * 2 1192->1196 1193->1146 1194->1192 1194->1196 1195->1193 1213 6d3560b4-6d3560bc 1196->1213 1214 6d356097-6d3560af call 6d362a70 1196->1214 1216 6d3560c2-6d356130 call 6d3ac47a call 6d376bb0 call 6d39fa50 1213->1216 1217 6d356abf-6d356b05 call 6d34a4e0 1213->1217 1214->1213 1233 6d356140-6d35615e 1216->1233 1223 6d356b14-6d356b30 call 6d34a700 1217->1223 1224 6d356b07-6d356b12 call 6d3ac260 1217->1224 1232 6d356b55-6d356b5e 1223->1232 1224->1223 1234 6d356b60-6d356b8b call 6d35ed90 1232->1234 1235 6d356b32-6d356b54 call 6d3443c0 1232->1235 1237 6d356160-6d356163 1233->1237 1238 6d356169-6d3561ec 1233->1238 1248 6d356b8d-6d356b96 call 6d3aad60 1234->1248 1249 6d356b9b-6d356bf2 call 6d388b70 * 2 1234->1249 1235->1232 1237->1238 1241 6d356216-6d35621c 1237->1241 1242 6d356c14-6d356c19 call 6d3ac2e0 1238->1242 1243 6d3561f2-6d3561fc 1238->1243 1250 6d356222-6d3563bc call 6d3a7ed0 call 6d376bb0 call 6d377410 call 6d377100 call 6d377410 * 3 call 6d377230 call 6d377410 call 6d376c10 call 6d3ac47a 1241->1250 1251 6d356c0a-6d356c0f call 6d3ac2e0 1241->1251 1242->1195 1246 6d35620f-6d356211 1243->1246 1247 6d3561fe-6d35620a 1243->1247 1253 6d356132-6d35613e 1246->1253 1247->1253 1248->1249 1264 6d356bf4-6d356bfa 1249->1264 1265 6d356c03-6d356c09 1249->1265 1284 6d35645e-6d356461 1250->1284 1251->1242 1253->1233 1264->1265 1267 6d356bfc 1264->1267 1267->1265 1285 6d3564e7-6d356690 call 6d376bb0 call 6d377410 call 6d376c10 call 6d3b0830 * 4 call 6d3ac476 1284->1285 1286 6d356467-6d356484 1284->1286 1321 6d356717-6d35671a 1285->1321 1287 6d3563c1-6d356457 call 6d3580a0 call 6d3a7ed0 call 6d376bb0 call 6d377410 call 6d376c10 1286->1287 1288 6d35648a-6d3564e2 call 6d376bb0 call 6d377410 call 6d376c10 1286->1288 1287->1284 1288->1287 1322 6d3567c0-6d356a5a call 6d3b09b0 * 2 call 6d376bb0 call 6d377410 call 6d377100 call 6d377410 call 6d377100 call 6d377410 call 6d377100 call 6d377410 call 6d377100 call 6d377410 call 6d377100 call 6d377410 call 6d377100 call 6d377410 call 6d377230 call 6d377410 call 6d376c10 1321->1322 1323 6d356720-6d356744 1321->1323 1389 6d356a7c-6d356aad call 6d376bb0 call 6d376db0 call 6d376c10 1322->1389 1390 6d356a5c-6d356a77 call 6d376bb0 call 6d377410 call 6d376c10 1322->1390 1324 6d356746-6d356749 1323->1324 1325 6d35674b-6d356779 call 6d376bb0 call 6d377410 call 6d376c10 1323->1325 1324->1325 1327 6d35677e-6d356780 1324->1327 1332 6d356695-6d356716 call 6d3580a0 call 6d3a7ed0 call 6d376bb0 call 6d377410 call 6d376c10 1325->1332 1327->1332 1333 6d356786-6d3567bb call 6d376bb0 call 6d377410 call 6d376c10 1327->1333 1332->1321 1333->1332 1389->1217 1402 6d356aaf-6d356aba call 6d34a700 1389->1402 1390->1389 1402->1217
    Strings
    • non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo, xrefs: 6D356C1E
    • gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma, xrefs: 6D35629A
    • MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 6D356A06
    • , xrefs: 6D35606A
    • 5, xrefs: 6D356C27
    • gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= , xrefs: 6D355ABA
    • ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid, xrefs: 6D3568DC
    • MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=, xrefs: 6D35699C
    • ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE, xrefs: 6D3564EC
    • @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12, xrefs: 6D3562C7
    • failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 6D356C34
    • gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6D356C4A
    • ., xrefs: 6D3561FE
    • +:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08, xrefs: 6D3564A4, 6D35678B
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=$ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid$+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08$.$5$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= $non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo
    • API String ID: 0-2575422049
    • Opcode ID: 1a034bec820ce7ec69ad435bb23af0b01d9ce59ef95304e54451d48719a1a2f5
    • Instruction ID: 38e8a1686a94065f02e613e239c693ff29fe24feea0bae73a551185f12769ef0
    • Opcode Fuzzy Hash: 1a034bec820ce7ec69ad435bb23af0b01d9ce59ef95304e54451d48719a1a2f5
    • Instruction Fuzzy Hash: 6DB2E3B46097458FD764EF28C190B9ABBF5FB8A304F05892ED9C987350DB74E844CB92
    Function 6D3693F0 Relevance: 16.9, Strings: 13, Instructions: 643COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1404 6d3693f0-6d369402 1405 6d369f94-6d369f99 call 6d3aae50 1404->1405 1406 6d369408-6d369450 1404->1406 1405->1404 1407 6d369476-6d36947d 1406->1407 1410 6d369483-6d3694ed 1407->1410 1411 6d36957b-6d369581 1407->1411 1412 6d3694f3-6d3694f5 1410->1412 1413 6d369f8c-6d369f93 call 6d3ac320 1410->1413 1414 6d369587-6d3695b3 call 6d36c5d0 1411->1414 1415 6d3697f9-6d369800 call 6d3ac2f0 1411->1415 1417 6d369f85-6d369f87 call 6d3ac340 1412->1417 1418 6d3694fb-6d369545 1412->1418 1413->1405 1429 6d3695b5-6d369620 call 6d369360 1414->1429 1430 6d369621-6d369631 1414->1430 1421 6d369805-6d36980c 1415->1421 1417->1413 1422 6d369547-6d369550 1418->1422 1423 6d369552-6d369556 1418->1423 1427 6d369810-6d369812 1421->1427 1428 6d369558-6d369576 1422->1428 1423->1428 1433 6d3699fd 1427->1433 1434 6d369818 1427->1434 1428->1427 1431 6d369637-6d369648 1430->1431 1432 6d3697f4 call 6d3ac2e0 1430->1432 1438 6d3697e1-6d3697e9 1431->1438 1439 6d36964e-6d369653 1431->1439 1432->1415 1437 6d369a01-6d369a0a 1433->1437 1440 6d369f7e-6d369f80 call 6d3ac2e0 1434->1440 1441 6d36981e-6d36984c 1434->1441 1443 6d369d72-6d369de0 call 6d369360 1437->1443 1444 6d369a10-6d369a16 1437->1444 1438->1432 1445 6d3697c6-6d3697d6 1439->1445 1446 6d369659-6d369666 1439->1446 1440->1417 1448 6d369856-6d3698af 1441->1448 1449 6d36984e-6d369854 1441->1449 1463 6d369ee5-6d369eeb 1443->1463 1451 6d369d53-6d369d71 1444->1451 1452 6d369a1c-6d369a26 1444->1452 1445->1438 1453 6d36966c-6d3697b3 call 6d376bb0 call 6d377410 call 6d377230 call 6d377410 call 6d377230 call 6d377410 call 6d377100 call 6d377410 call 6d377100 call 6d377410 call 6d377100 call 6d377410 call 6d376c10 call 6d376bb0 call 6d377410 call 6d377100 call 6d376db0 call 6d376c10 call 6d3a6a90 1446->1453 1454 6d3697b8-6d3697c1 1446->1454 1464 6d3698b1-6d3698bd 1448->1464 1465 6d3698bf-6d3698c8 1448->1465 1449->1421 1456 6d369a41-6d369a55 1452->1456 1457 6d369a28-6d369a3f 1452->1457 1453->1454 1461 6d369a5c 1456->1461 1457->1461 1469 6d369a71-6d369a91 1461->1469 1470 6d369a5e-6d369a6f 1461->1470 1467 6d369eed-6d369f02 1463->1467 1468 6d369f68-6d369f79 call 6d3a6a90 1463->1468 1466 6d3698ce-6d3698e0 1464->1466 1465->1466 1472 6d3698e6-6d3698eb 1466->1472 1473 6d3699c8-6d3699ca 1466->1473 1474 6d369f04-6d369f09 1467->1474 1475 6d369f0b-6d369f1d 1467->1475 1468->1440 1477 6d369a98 1469->1477 1470->1477 1479 6d3698f4-6d369908 1472->1479 1480 6d3698ed-6d3698f2 1472->1480 1485 6d3699e2 1473->1485 1486 6d3699cc-6d3699e0 1473->1486 1481 6d369f1f 1474->1481 1475->1481 1482 6d369aa1-6d369aa4 1477->1482 1483 6d369a9a-6d369a9f 1477->1483 1488 6d36990f-6d369911 1479->1488 1480->1488 1489 6d369f21-6d369f26 1481->1489 1490 6d369f28-6d369f40 1481->1490 1491 6d369aaa-6d369d4e call 6d376bb0 call 6d377410 call 6d377230 call 6d377410 call 6d377230 call 6d377410 call 6d377100 call 6d377410 call 6d377100 call 6d377410 call 6d377100 call 6d376db0 call 6d376c10 call 6d376bb0 call 6d377410 call 6d377230 call 6d377410 call 6d377100 call 6d377410 call 6d377230 call 6d376db0 call 6d376c10 call 6d376bb0 call 6d377410 call 6d3772a0 call 6d377410 call 6d377230 call 6d376db0 call 6d376c10 call 6d376bb0 call 6d377410 call 6d377100 call 6d377410 call 6d377100 call 6d376db0 call 6d376c10 1482->1491 1483->1491 1487 6d3699e6-6d3699fb 1485->1487 1486->1487 1487->1437 1494 6d369917-6d369919 1488->1494 1495 6d369452-6d36946f 1488->1495 1493 6d369f42-6d369f4e 1489->1493 1490->1493 1491->1463 1499 6d369f50-6d369f55 1493->1499 1500 6d369f5a-6d369f5d 1493->1500 1501 6d369922-6d36993d 1494->1501 1502 6d36991b-6d369920 1494->1502 1495->1407 1500->1468 1507 6d3699a7-6d3699c3 1501->1507 1508 6d36993f-6d369944 1501->1508 1506 6d36994b 1502->1506 1511 6d36995e-6d36996d 1506->1511 1512 6d36994d-6d36995c 1506->1512 1507->1421 1508->1506 1515 6d369970-6d3699a2 1511->1515 1512->1515 1515->1421
    Strings
    • runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer, xrefs: 6D36976B
    • , levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:, xrefs: 6D369D15
    • ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc, xrefs: 6D3696CD
    • , npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar, xrefs: 6D369BD7
    • runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D36967A, 6D369AB3
    • , i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc, xrefs: 6D369C88
    • , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST, xrefs: 6D3696F7, 6D369721, 6D369B44, 6D369B6E
    • ] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt, xrefs: 6D369B1A
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D3697A2, 6D369F68
    • runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard , xrefs: 6D369C5B
    • , j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu, xrefs: 6D369C04
    • ][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C, xrefs: 6D3696A4, 6D369AED
    • runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6D369CE8
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu$, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:$, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar$] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt$] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc$][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-566501290
    • Opcode ID: 3294e16a8dcaa815371ca27de9baaa9ff6326edb9036d17e57ec14580a6e163b
    • Instruction ID: 2a662a26c5294d30ba63fe2d30b6be392a0578cbe5342f66eefbad91617f80d7
    • Opcode Fuzzy Hash: 3294e16a8dcaa815371ca27de9baaa9ff6326edb9036d17e57ec14580a6e163b
    • Instruction Fuzzy Hash: BC5235B5A187458FD360DF68C48079ABBF5FF89304F12892DEAD887344D774A844CBA2
    Function 6D371570 Relevance: 16.4, Strings: 13, Instructions: 150COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1764 6d371570-6d37157e 1765 6d371584-6d3715b6 call 6d3732a0 1764->1765 1766 6d37181e-6d371823 call 6d3aae50 1764->1766 1771 6d371807-6d37181d call 6d3a6a90 1765->1771 1772 6d3715bc-6d3715ea call 6d371470 1765->1772 1766->1764 1771->1766 1777 6d3715fc-6d371631 call 6d3732a0 1772->1777 1778 6d3715ec-6d3715f9 call 6d3ac270 1772->1778 1783 6d371637-6d371669 call 6d371470 1777->1783 1784 6d3717f1-6d371802 call 6d3a6a90 1777->1784 1778->1777 1788 6d37167b-6d371683 1783->1788 1789 6d37166b-6d371678 call 6d3ac270 1783->1789 1784->1771 1791 6d37172d-6d37175f call 6d371470 1788->1791 1792 6d371689-6d3716bb call 6d371470 1788->1792 1789->1788 1800 6d371771-6d3717a9 call 6d371470 1791->1800 1801 6d371761-6d37176e call 6d3ac270 1791->1801 1798 6d3716cd-6d3716d5 1792->1798 1799 6d3716bd-6d3716ca call 6d3ac270 1792->1799 1804 6d3717db-6d3717ec call 6d3a6a90 1798->1804 1805 6d3716db-6d37170d call 6d371470 1798->1805 1799->1798 1812 6d3717bb-6d3717c4 1800->1812 1813 6d3717ab-6d3717b8 call 6d3ac270 1800->1813 1801->1800 1804->1784 1816 6d37171f-6d371727 1805->1816 1817 6d37170f-6d37171c call 6d3ac270 1805->1817 1813->1812 1816->1791 1820 6d3717c5-6d3717d6 call 6d3a6a90 1816->1820 1817->1816 1820->1804
    Strings
    • bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible , xrefs: 6D371807
    • P, xrefs: 6D3717E4
    • RtlGetCurrentPeb, xrefs: 6D371734
    • NtCreateWaitCompletionPacket, xrefs: 6D37163E
    • RtlGetVersion, xrefs: 6D37177E
    • bcryptprimitives.dll, xrefs: 6D37158D
    • ntdll.dll, xrefs: 6D371608
    • NtAssociateWaitCompletionPacket, xrefs: 6D371690
    • NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no , xrefs: 6D3717C5
    • , xrefs: 6D3716A2
    • NtCancelWaitCompletionPacket, xrefs: 6D3716E2
    • ProcessPrng, xrefs: 6D3715BF
    • , xrefs: 6D37169A
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $NtAssociateWaitCompletionPacket$NtCancelWaitCompletionPacket$NtCreateWaitCompletionPacket$NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no $P$ProcessPrng$RtlGetCurrentPeb$RtlGetVersion$bcryptprimitives.dll$bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible $ntdll.dll
    • API String ID: 0-2332038095
    • Opcode ID: 6ed1b45feeecbbaa0741f820ef9a0db76061d467d12290d566c4201633d49faa
    • Instruction ID: c5766eaeedf69fa5461a4c5a6b2b72d6cd8459d7cde41b3eed3137e409581a6d
    • Opcode Fuzzy Hash: 6ed1b45feeecbbaa0741f820ef9a0db76061d467d12290d566c4201633d49faa
    • Instruction Fuzzy Hash: 0271C2B5209B429FDB44EF68D59075ABBF0BB8A384F05C82DE49883340D774D848CF96
    Function 6D363400 Relevance: 14.6, Strings: 11, Instructions: 876COMMON
    Download Yara Rule
    Strings
    • mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea, xrefs: 6D36418A
    • nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1pediatrasFindCloseLo, xrefs: 6D363D81
    • sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket, xrefs: 6D363E09
    • , xrefs: 6D363E12
    • sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket, xrefs: 6D363CB8, 6D36412C
    • sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto, xrefs: 6D363C4F
    • mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D363CE2, 6D364156
    • swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D363C65
    • previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 6D363DAB
    • mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 6D3641A9
    • mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 6D363D16
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1pediatrasFindCloseLo$ previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$ sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-3363956884
    • Opcode ID: d4d6081ae9825b69709451814a7527d3199599202de4e20d7d0e659e875d1370
    • Instruction ID: b7bef68333ffbcd5208ee86309141bf5dd29a2497a199a74e9f2c533c541319e
    • Opcode Fuzzy Hash: d4d6081ae9825b69709451814a7527d3199599202de4e20d7d0e659e875d1370
    • Instruction Fuzzy Hash: 148223B460C7958FC351DF28C090B6ABBE1BF8A704F05886DE9C88B395D775D845CBA2
    Function 6D372A90 Relevance: 14.0, Strings: 11, Instructions: 253COMMON
    Download Yara Rule
    Strings
    • runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr, xrefs: 6D372DEC
    • bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi, xrefs: 6D372D6E
    • runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b, xrefs: 6D372F31
    • %, xrefs: 6D372F3A
    • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi, xrefs: 6D372EFD
    • NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor, xrefs: 6D372E20
    • ,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12, xrefs: 6D372D29
    • runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 6D372D95
    • VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec, xrefs: 6D372DC9
    • CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet, xrefs: 6D372E7B, 6D372ED6
    • runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte, xrefs: 6D372E47, 6D372EA2
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: %$,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet$NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte$runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
    • API String ID: 0-2809656213
    • Opcode ID: eb401b084179599a11e2b784a525e02c59221a60333d2e65559b3f4d1a45acf1
    • Instruction ID: b56630c7fc78336054be26319d7107477ec4a6a83fc896aa43efe0b7eb4d0ab4
    • Opcode Fuzzy Hash: eb401b084179599a11e2b784a525e02c59221a60333d2e65559b3f4d1a45acf1
    • Instruction Fuzzy Hash: 1AC1BEB4609B029FD350EF68C194B5ABBF4EF89708F12892CE9D887340D7799948CF56
    Function 6D3413E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 0b287e6234659e2fd7e4f679ca9e527d641d64fa76b7ad6b82d605976c31fb30
    • Instruction ID: 192fb2bfe3075a0e14997effc3d5c6317b67cdb8803fabbb4f7bd158a68261f6
    • Opcode Fuzzy Hash: 0b287e6234659e2fd7e4f679ca9e527d641d64fa76b7ad6b82d605976c31fb30
    • Instruction Fuzzy Hash: 01019EB68097009BCB40BF78964A31EBFF8EB42345F05853DC88887209E7309824CFA3
    Function 6D3A332F Relevance: 12.0, Strings: 9, Instructions: 757COMMON
    Download Yara Rule
    Strings
    • 2, xrefs: 6D3A3D50
    • p, xrefs: 6D3A3D5E
    • !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 6D3A36FF
    • 4, xrefs: 6D3A3D0E
    • malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty, xrefs: 6D3A3D1B
    • 3-, xrefs: 6D3A3D58
    • malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo, xrefs: 6D3A3D31
    • mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 6D3A3D05
    • mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential, xrefs: 6D3A3D47
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$2$4$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo$malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $3-$p
    • API String ID: 0-234616912
    • Opcode ID: ce6df8d4ffd90f7d13bd28994c6bee2b720a7ac0108cdd4255e15f3e28823d34
    • Instruction ID: 16387ad89321ef7fff234b6a91e4a850c1438891eb852928c13b2c647c8876e9
    • Opcode Fuzzy Hash: ce6df8d4ffd90f7d13bd28994c6bee2b720a7ac0108cdd4255e15f3e28823d34
    • Instruction Fuzzy Hash: 6B62BC706087558FC704DFA9C09062ABBF1FF89714F19896DE9A88B392D736D845CF82
    Function 6D3BCEF0 Relevance: 10.8, Strings: 8, Instructions: 756COMMON
    Download Yara Rule
    Strings
    • pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps, xrefs: 6D3BD785
    • n, xrefs: 6D3BD1B1
    • invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p, xrefs: 6D3BCF75, 6D3BD068, 6D3BD138, 6D3BD6F4, 6D3BD816, 6D3BD8A7, 6D3BD938, 6D3BD9CD
    • y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KS, xrefs: 6D3BD1C5
    • invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa, xrefs: 6D3BD663
    • !, xrefs: 6D3BD0EC
    • v, xrefs: 6D3BD025
    • $, xrefs: 6D3BD66D
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$$$invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa$invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p$n$pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps$v$y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KS
    • API String ID: 0-3686076665
    • Opcode ID: 0622d2f06232007f296f9326198d53957c849782cbbd5ff1ce78d22cbb17de89
    • Instruction ID: 3c9a1900997455e752a47d85927c20f24177de6dc954b86e6c98cdfa34a26680
    • Opcode Fuzzy Hash: 0622d2f06232007f296f9326198d53957c849782cbbd5ff1ce78d22cbb17de89
    • Instruction Fuzzy Hash: 207213B4A083458FC724DF28D18075AFBF1BB89700F54892EE9A987741DB75E948CF92
    Function 6D3C2560 Relevance: 10.5, Strings: 7, Instructions: 1779COMMON
    Download Yara Rule
    Strings
    • %!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWuseren pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamec, xrefs: 6D3C3BCA, 6D3C3E95
    • %!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1pediatrasFindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutin, xrefs: 6D3C3FD9, 6D3C42BB
    • 0, xrefs: 6D3C3344
    • )]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+, xrefs: 6D3C3BE4, 6D3C3EAF, 6D3C3FF3, 6D3C42D5
    • 0, xrefs: 6D3C30B1
    • 0, xrefs: 6D3C3267
    • 0, xrefs: 6D3C3150
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: %!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1pediatrasFindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutin$%!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWuseren pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamec$)]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+$0$0$0$0
    • API String ID: 0-4253239785
    • Opcode ID: f0fca9e1feed4dbefedf58a8b8362f2c207a89629cf15ccf049c006eabcb2ec3
    • Instruction ID: 76ff37fd14b1dec5f40f9e7905a6f5c03f5785464a4b4b4e51b1ba8b9456f7ac
    • Opcode Fuzzy Hash: f0fca9e1feed4dbefedf58a8b8362f2c207a89629cf15ccf049c006eabcb2ec3
    • Instruction Fuzzy Hash: C103E2B8A083868FC325CF18C19079EFBE1BBC9300F15892EE99997351D771A945CB93
    Function 6D395ED0 Relevance: 10.5, Strings: 8, Instructions: 512COMMON
    Download Yara Rule
    Strings
    • sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us, xrefs: 6D396566
    • (1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID, xrefs: 6D396320
    • , xrefs: 6D396039
    • non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard , xrefs: 6D3966C5
    • pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace, xrefs: 6D396593
    • fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit, xrefs: 6D396539
    • , xrefs: 6D396031
    • :(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I, xrefs: 6D3963FD
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $ fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit$ pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace$ sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us$(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID$:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I$non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard
    • API String ID: 0-3830612415
    • Opcode ID: 6e86f708f0f09bd69b63735893a334bd90a9e91f746747f9c3f3b339d1ded9a3
    • Instruction ID: 53c9ac1603e3006b569a823976d9f479fe6cbda56d21d890c563d53090b11f99
    • Opcode Fuzzy Hash: 6e86f708f0f09bd69b63735893a334bd90a9e91f746747f9c3f3b339d1ded9a3
    • Instruction Fuzzy Hash: DE32D1B460D7818FC365DF65C190B9FBBE1AF89304F05882EE9C89B351EB359845CB92
    Function 6D371A70 Relevance: 8.9, Strings: 7, Instructions: 116COMMON
    Download Yara Rule
    Strings
    • runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta, xrefs: 6D371BD9
    • winmm.dll, xrefs: 6D371AF3
    • runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co, xrefs: 6D371C34
    • timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 6D371C0D
    • timeEndPeriod, xrefs: 6D371B73
    • &, xrefs: 6D371C3D
    • timeBeginPeriod, xrefs: 6D371B29
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: &$runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta$runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co$timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$timeBeginPeriod$timeEndPeriod$winmm.dll
    • API String ID: 0-424793872
    • Opcode ID: 64c49ac07d146c3671225213fd9e39825e8a92b4f92aa430babe1655789430da
    • Instruction ID: ef509244ea92501bb5bf2d63b5911b25d3054c7ab0dec7cdecc0265bd5d2a34f
    • Opcode Fuzzy Hash: 64c49ac07d146c3671225213fd9e39825e8a92b4f92aa430babe1655789430da
    • Instruction Fuzzy Hash: 8451E3B5609B429FDB54EF68D0A471ABBF4EB4A348F01C82CE5D883240D778D848CF96
    Function 6D3D5B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessagefprintf
    • String ID: Erro: %s
    • API String ID: 659079672-2412703935
    • Opcode ID: 20f2c08b11a581b611bb70c8d4d68aaaf8e24c5a0c6d905bb0196d780c49edfe
    • Instruction ID: cf88ded5c77b7c12fe0e262888b1438b4e58d5b09526739c0afd2920002ee7af
    • Opcode Fuzzy Hash: 20f2c08b11a581b611bb70c8d4d68aaaf8e24c5a0c6d905bb0196d780c49edfe
    • Instruction Fuzzy Hash: A4019DB15083019FD700AF68C59971EFFF4AB88349F00892DE9D996294E7B986488F93
    Function 6D37CF90 Relevance: 8.6, Strings: 6, Instructions: 1093COMMON
    Download Yara Rule
    Strings
    • findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r, xrefs: 6D37E0D5
    • findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina, xrefs: 6D37E0BF
    • findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a, xrefs: 6D37E0A9
    • findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi, xrefs: 6D37E0EB
    • global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz, xrefs: 6D37E093
    • !, xrefs: 6D37E0DE
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz
    • API String ID: 0-3518981815
    • Opcode ID: e712abd3ca5cfddfac6de6ff30f9a3ba8d44a9cb292561682bec6f16dc302434
    • Instruction ID: 1afbe05683553a530064efb00eec839e89bc188285dca9041aabc9bdf9f7f45e
    • Opcode Fuzzy Hash: e712abd3ca5cfddfac6de6ff30f9a3ba8d44a9cb292561682bec6f16dc302434
    • Instruction Fuzzy Hash: C3A2DD7460DB419FD764DF68D090B6ABBF0BB8A744F05882DE9D887380EB39D844CB56
    Function 6D3711F0 Relevance: 7.6, Strings: 6, Instructions: 133COMMON
    Download Yara Rule
    Strings
    • runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar, xrefs: 6D371369
    • runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not , xrefs: 6D371417
    • runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy, xrefs: 6D37139D, 6D3713F8, 6D37144B
    • d, xrefs: 6D371276
    • 5, xrefs: 6D371420
    • runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe, xrefs: 6D3713C4
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 5$d$runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar$runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not $runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe$runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy
    • API String ID: 0-2414937731
    • Opcode ID: a994a2232f7a5443a9c4c3eac5da4cb412ed243a9b0d1e76f0193e05e307870d
    • Instruction ID: 2ce96512da7f4fb0e3b22e9b463b8b8ea066c3b418512925e5d1b2016d2c801a
    • Opcode Fuzzy Hash: a994a2232f7a5443a9c4c3eac5da4cb412ed243a9b0d1e76f0193e05e307870d
    • Instruction Fuzzy Hash: 1051CDB460DB019FD750EF29C1A4B1ABBF4AF89748F01882DE9D887350D7789948CF96
    Function 6D3D6300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D3D634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D3D635F
    • GetCurrentProcess.KERNEL32 ref: 6D3D6368
    • TerminateProcess.KERNEL32 ref: 6D3D6379
    • abort.MSVCRT ref: 6D3D6382
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: b7246949e9ca42c9c45434427b8cba48d50810cb5669f4e692d7cce0b1032d25
    • Instruction ID: 2490d8456de48b2416073da4096fb2de3d5d79f4a71c3e807124138c2fff6fbb
    • Opcode Fuzzy Hash: b7246949e9ca42c9c45434427b8cba48d50810cb5669f4e692d7cce0b1032d25
    • Instruction Fuzzy Hash: BE1104BA9082058FCB40EF68C15971EBFF0BB49304F088929E998D7358E734D9448F92
    Function 6D3D6250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6D3D6289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D3413B9), ref: 6D3D629A
    • GetCurrentThreadId.KERNEL32 ref: 6D3D62A2
    • GetTickCount.KERNEL32 ref: 6D3D62AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D3413B9), ref: 6D3D62B9
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 8cbe86cce7bc145fe6f3fd2a315eebc838acef9a8eaff4595e8ac3c38fac4316
    • Instruction ID: 2741cd7b921bdae261cf175218391c2be4bf3935d38fe5137b01e40d05098e44
    • Opcode Fuzzy Hash: 8cbe86cce7bc145fe6f3fd2a315eebc838acef9a8eaff4595e8ac3c38fac4316
    • Instruction Fuzzy Hash: 76115EB66053018BDB40EF79E88864BBFF8FB89354F054D39E494C6204EB31D8488B92
    Function 6D361440 Relevance: 5.5, Strings: 4, Instructions: 494COMMON
    Download Yara Rule
    Strings
    • min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW, xrefs: 6D3619C0
    • min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce, xrefs: 6D361A0F
    • !, xrefs: 6D361A18
    • runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti, xrefs: 6D36198C, 6D3619DB
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce$min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW$runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti
    • API String ID: 0-967014423
    • Opcode ID: 496be2ff8be1d8d56fcc87d2e2a2749df19a240f5242e07c6689ec4819aa1e1f
    • Instruction ID: 1970d9452b516478283becd095f24e7cc0990b02e0f7b6dc14f096fb99f20e21
    • Opcode Fuzzy Hash: 496be2ff8be1d8d56fcc87d2e2a2749df19a240f5242e07c6689ec4819aa1e1f
    • Instruction Fuzzy Hash: 1EF1E0366093664FD755DEA888C065EB7E2FBC4344F15893CD99487388EB71D805C6E2
    Function 6D37A320 Relevance: 5.4, Strings: 4, Instructions: 352COMMON
    Download Yara Rule
    Strings
    • stopTheWorld: useren CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met, xrefs: 6D37A7EB
    • stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many, xrefs: 6D37A7B0
    • stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a , xrefs: 6D37A843
    • stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl, xrefs: 6D37A690
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: stopTheWorld: useren CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met$stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a $stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many$stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl
    • API String ID: 0-2039697367
    • Opcode ID: b17b748c8afdf1c998232f017bc0c8e7603f6951c84b32159c0d3ca1c6e0ec0c
    • Instruction ID: 7b6ca9188ba6a9f5524482f58fcf56d76c03d0f37deaefde3f29c0094e07f1c6
    • Opcode Fuzzy Hash: b17b748c8afdf1c998232f017bc0c8e7603f6951c84b32159c0d3ca1c6e0ec0c
    • Instruction Fuzzy Hash: E1F1FD7460C7418FC318DF69C190A6ABBF1BB8A744F05892DE9D887351D735E845CF86
    Function 6D371830 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$'$PowerRegisterSuspendResumeNotification$powrprof.dll
    • API String ID: 0-4026319467
    • Opcode ID: 712e939f80e218e97aca26977df7ae86d7305508a57597ce0bab72553a19ba7f
    • Instruction ID: a1e7c2e138421f78ad86dc99f77bbb531772b75df10fc2d3883f7062f952d897
    • Opcode Fuzzy Hash: 712e939f80e218e97aca26977df7ae86d7305508a57597ce0bab72553a19ba7f
    • Instruction Fuzzy Hash: D621CDB56087429FC714DF25C094B5ABBF0BB89348F40892DE4D887250E779DA88CF87
    Function 6D386470 Relevance: 4.2, Strings: 3, Instructions: 451COMMON
    Download Yara Rule
    Strings
    • runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern, xrefs: 6D386A04
    • <, xrefs: 6D386A0D
    • runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add, xrefs: 6D3869D7
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: <$runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add$runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern
    • API String ID: 0-450027851
    • Opcode ID: 913218ece0a993b8a7996cc528dd5117855087695caf094b212843ff6a5d573b
    • Instruction ID: 7b8f375f8a5b29e6c773c610f03226d867e6cea98951e2e5a5caca8a543edd62
    • Opcode Fuzzy Hash: 913218ece0a993b8a7996cc528dd5117855087695caf094b212843ff6a5d573b
    • Instruction Fuzzy Hash: 960269B4A187058FC714CF69C19061EBBE2BFC8704F15C92DEA998B351EB75E805CB82
    Function 6D376010 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
    Download Yara Rule
    Strings
    • ', xrefs: 6D3764AC
    • invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro, xrefs: 6D37648D
    • suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support, xrefs: 6D3764A3
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support
    • API String ID: 0-3278438963
    • Opcode ID: 7e87b1273990efc60755f1efd996afc0f0a4fca3be51cdacc3c022ad37cb9fc9
    • Instruction ID: be01b7e59ce1f154fec8c994f3a22b90f59298ce9fa5450fe345a56d2f76586c
    • Opcode Fuzzy Hash: 7e87b1273990efc60755f1efd996afc0f0a4fca3be51cdacc3c022ad37cb9fc9
    • Instruction Fuzzy Hash: DED1327420C7418FC395DF29C0A0A2ABBF1AF8A748F49886DF9C497351D739E944CB96
    Function 6D366630 Relevance: 3.0, Strings: 2, Instructions: 499COMMON
    Download Yara Rule
    Strings
    • +, xrefs: 6D366D57
    • grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 6D366D4E
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: +$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
    • API String ID: 0-3347251187
    • Opcode ID: 99365d1418181d40fa0c07a23cdd262633998a251b9e7ad4574e8bbc298c4fda
    • Instruction ID: 9b6d795d7af8d590b969d6354d019f07304059e35d839f7136732e7e6467d1d0
    • Opcode Fuzzy Hash: 99365d1418181d40fa0c07a23cdd262633998a251b9e7ad4574e8bbc298c4fda
    • Instruction Fuzzy Hash: 2822EF7460D7818FC354DF29C190A2ABBE1BF89744F05C86DEAD987358DB35E844CBA2
    Function 6D36B2D0 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
    Download Yara Rule
    Strings
    • @, xrefs: 6D36B4FB
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D36B60F
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
    • API String ID: 0-1191861649
    • Opcode ID: 05b7ef19bc0600c79e2db04a3df7151bbf6a82ef1de0e71781f5b6e6ba2e118e
    • Instruction ID: 8c120c2c547839ef3fbc191a2d059bb0dcd9ac502d550a48cc591a6ce75225b1
    • Opcode Fuzzy Hash: 05b7ef19bc0600c79e2db04a3df7151bbf6a82ef1de0e71781f5b6e6ba2e118e
    • Instruction Fuzzy Hash: DBA1C17560870A8FC704CF18C88065AB7E1FFC8354F49CA2DE9999B345DB34E95ACB92
    Function 6D3AA872 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $@
    • API String ID: 0-1077428164
    • Opcode ID: f054ffac746b4b648e78165dd62ff37d6070755382b39ed127b36c7bac65d409
    • Instruction ID: 6b94e193132786b2c12cdfe96aa8a0c71395f7f486dec04fe5d173e85e53c2a5
    • Opcode Fuzzy Hash: f054ffac746b4b648e78165dd62ff37d6070755382b39ed127b36c7bac65d409
    • Instruction Fuzzy Hash: 64519220C1CF9B65E6331BBDC4026667B20AEB3144B05D76FFDD6B54B2E7136940BA22
    Function 6D35CEC0 Relevance: 2.6, Strings: 2, Instructions: 88COMMON
    Download Yara Rule
    Strings
    • gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu, xrefs: 6D35CFA1
    • ,, xrefs: 6D35CFAA
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu
    • API String ID: 0-27675022
    • Opcode ID: 190f4259725e8bbfba055f8f2e6142fdab0d61de785e62ec8f01414f2ae6f239
    • Instruction ID: e7dbc4ad9fd4cf1a465fc9634be7134a5d7fd4b49dc892a53a9e8825072d92f8
    • Opcode Fuzzy Hash: 190f4259725e8bbfba055f8f2e6142fdab0d61de785e62ec8f01414f2ae6f239
    • Instruction Fuzzy Hash: A5318E756093968FD305DF18C490A69BBF1AB86608F0985BDCC885F387DB31E84ACBC1
    Function 6D3C59D0 Relevance: 1.9, Strings: 1, Instructions: 607COMMON
    Download Yara Rule
    Strings
    • ,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePoint, xrefs: 6D3C5B6E
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePoint
    • API String ID: 0-1364986362
    • Opcode ID: 6df5666735056ae01990f79e201f9d00390109e20cfe678bc0182a2c1c3a553d
    • Instruction ID: 81020b92550c9de6d596da89af5affd99acd2c57487f744aa9690d33168d9d09
    • Opcode Fuzzy Hash: 6df5666735056ae01990f79e201f9d00390109e20cfe678bc0182a2c1c3a553d
    • Instruction Fuzzy Hash: 8D5215B5A083858FD334CF18C55139EFBE1ABC5304F45892DDAD89B391EBB5A9448B83
    Function 6D398570 Relevance: 1.8, Strings: 1, Instructions: 543COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 4
    • API String ID: 0-4088798008
    • Opcode ID: 3adab0aa08af549692b95faddba1623919639634b74d90628a09714a68d2334f
    • Instruction ID: 68e81bac227d1c1757faa0cec125042e8bd4a96d5fd4f9e0cfca5c42e906e999
    • Opcode Fuzzy Hash: 3adab0aa08af549692b95faddba1623919639634b74d90628a09714a68d2334f
    • Instruction Fuzzy Hash: 0C229E7560D3468BC734DF58C4C466EB7E1EFC9304F188A2DDA998B391EB71A805CB92
    Function 6D350AF0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
    Download Yara Rule
    Strings
    • span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor, xrefs: 6D350D52
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor
    • API String ID: 0-1712010102
    • Opcode ID: 345d41036fe608175d38fa1e946170944aacab6e401b90b22c2cd3e5df9556b3
    • Instruction ID: 9c9d5dd3949adf92ca7373985d9b12feae10944a998b6fb7d5d3bc957ec47cda
    • Opcode Fuzzy Hash: 345d41036fe608175d38fa1e946170944aacab6e401b90b22c2cd3e5df9556b3
    • Instruction Fuzzy Hash: CAD1437460D7869FC744DF29C090A2EBBE0BF8A748F01892DE9D98B340E736D955CB52
    Function 6D36D040 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
    Download Yara Rule
    Strings
    • runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin, xrefs: 6D36D3CB
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin
    • API String ID: 0-429552053
    • Opcode ID: 50881a4fcd50d47189470d476ae32f959b19e82bd738f9b03e43978817b0e78c
    • Instruction ID: 06131595e9fde5604e919d1218f4a1c67d6c65d1942e8018fe8d11a17d93a008
    • Opcode Fuzzy Hash: 50881a4fcd50d47189470d476ae32f959b19e82bd738f9b03e43978817b0e78c
    • Instruction Fuzzy Hash: 5FB1D4746083469FC744DF68D48092ABBF1BBCA744F62882DE9D487314E735E945CFA2
    Function 6D3C95A0 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ;
    • API String ID: 0-1661535913
    • Opcode ID: 8d3096d20987f3856bbe2aa83a15a897c209c9a9b0ef2c39b506035e5af999fa
    • Instruction ID: 876775b0f71f99bb3782a8219ad0116cbb0b1bc6574a16cb4e58d6e4b4f5da47
    • Opcode Fuzzy Hash: 8d3096d20987f3856bbe2aa83a15a897c209c9a9b0ef2c39b506035e5af999fa
    • Instruction Fuzzy Hash: D3A18171B083054FC71CDE6DD99131ABAE6ABC8304F09CA3DE589CB7A4E635DD058B86
    Function 6D36A360 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: 9a89505261efa6db4ca5bff0dc4d6140b1e5939277fc0d459d7c512b3ed59182
    • Instruction ID: 586eafb7a9bd399616fb0cd27ec74ae0292d64212ded2887205fcd7a35ff39fe
    • Opcode Fuzzy Hash: 9a89505261efa6db4ca5bff0dc4d6140b1e5939277fc0d459d7c512b3ed59182
    • Instruction Fuzzy Hash: 499130B5A093859FC344CF28C080A1ABBE1FF88744F45992EE9D887341E735E985CF92
    Function 6D3BE740 Relevance: .9, Instructions: 941COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4f6f2c5573499532829a8a345bd89b07e31364e773238923ee0a5c89f3df35f0
    • Instruction ID: 2640230e5eece055b7f2930916d86abc822a1bb5865faf11214a420edb8987a3
    • Opcode Fuzzy Hash: 4f6f2c5573499532829a8a345bd89b07e31364e773238923ee0a5c89f3df35f0
    • Instruction Fuzzy Hash: 31826576A083558BC738CE0DC49079AF3E6BBDD300F51896ED699D3790EB70A905CB92
    Function 6D3C6C20 Relevance: .6, Instructions: 601COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 206cca491f6be11bed7eafac54510c62f20b0812f05e289264e7dd3f7e25ddc2
    • Instruction ID: e9f5a5b2b76c524ecd0b1a0a0f34a0631c940bd25feffe80389194224f3cd9bb
    • Opcode Fuzzy Hash: 206cca491f6be11bed7eafac54510c62f20b0812f05e289264e7dd3f7e25ddc2
    • Instruction Fuzzy Hash: 652270B6A1C7468FD724CF65C49036BF7E2BBC5304F55C82DEA858B251EB7198098B83
    Function 6D3C4D20 Relevance: .5, Instructions: 530COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 18d7bcd8b8e2658432215d9de11fb7ed286e3ae19a930f78236f87db77f67875
    • Instruction ID: 97b9af5d12fc1ff5138e0bbea02f963cdb13f505e6d4e8d2c77824f855d62822
    • Opcode Fuzzy Hash: 18d7bcd8b8e2658432215d9de11fb7ed286e3ae19a930f78236f87db77f67875
    • Instruction Fuzzy Hash: 77127972A087498FC314DE5DC94124AF7E6BBC4304F59CA3DD9988B355EB70ED058B82
    Function 6D36C080 Relevance: .5, Instructions: 477COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e7d0276d73ceb33a54912166ca5cf7bdfe572ec6ccd748bc8d8fb8af3bdf1035
    • Instruction ID: 2d8d4e1e03d1f285ad9696c3cb134099abf9158ec0cce1cd87bd5f6b49a42ae3
    • Opcode Fuzzy Hash: e7d0276d73ceb33a54912166ca5cf7bdfe572ec6ccd748bc8d8fb8af3bdf1035
    • Instruction Fuzzy Hash: 86E15733B1875A4BD715DEAD88C025EBAD2ABC8344F09863CDD649B384FA75DC0A86D1
    Function 6D39BC20 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 66a6f9ca59bb09ff9fe4b48f3a30cb46a31b666a31a9de435120cf8e8c1ef58f
    • Instruction ID: 01454f3661ec9c4148196b2858ae41ea99fdb798efc59d424d1e05f34ca17748
    • Opcode Fuzzy Hash: 66a6f9ca59bb09ff9fe4b48f3a30cb46a31b666a31a9de435120cf8e8c1ef58f
    • Instruction Fuzzy Hash: DF027C356083468FD724CF68C4C0A6EB7E1BF89344F55892DEAD98B391E731E845CB92
    Function 6D36BB10 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d0d0d56907791aa9868a6a58bf43e413dfca8bf09bbae72dfaa9482c7a7a309e
    • Instruction ID: d6e9ae4f056d1dae670da2f86433361d2fde251e4c65f9b4f1bc1dd1b909ca99
    • Opcode Fuzzy Hash: d0d0d56907791aa9868a6a58bf43e413dfca8bf09bbae72dfaa9482c7a7a309e
    • Instruction Fuzzy Hash: 61E1E433E2472507D3149E58CC80249B6D3ABC8670F4EC72DED95AB781EAB4ED5987C2
    Function 6D3C6740 Relevance: .4, Instructions: 408COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3cb545ed7baef5ff280ea91941555cf98c81c49c5bbd2dac5252f8672cd3f48f
    • Instruction ID: 7e5986fe4b4643535a560aea2157785ffd600196dbd9a4e0ce08d2313c9b3750
    • Opcode Fuzzy Hash: 3cb545ed7baef5ff280ea91941555cf98c81c49c5bbd2dac5252f8672cd3f48f
    • Instruction Fuzzy Hash: 4FE1ADB6A0C7668BC315CF29849032FBBE2ABC5704F45C92DE9958B261E771DC058BD3
    Function 6D3580A0 Relevance: .4, Instructions: 378COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5a039a4a57b967ccbaef0a1dfbe3050c5681cbc0f9732eac21098ab3ac5f76fb
    • Instruction ID: 91610e217ece019c608b8499ff0fbde9fe4e69eba52e44b0a8ab4f297cdc2fd5
    • Opcode Fuzzy Hash: 5a039a4a57b967ccbaef0a1dfbe3050c5681cbc0f9732eac21098ab3ac5f76fb
    • Instruction Fuzzy Hash: E0C1F432B083164FC709DE6CC89065EBBE2ABC8344F49863CE995DB3A5E775ED058781
    Function 6D39D6E0 Relevance: .4, Instructions: 368COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6681b8e6ff4d06962c0520072c066d5e71569713334ecd0078f0635b438102c2
    • Instruction ID: 1f3461c60de187ad256631956dc1febb1706a3e340d69e593675f56e05cd4514
    • Opcode Fuzzy Hash: 6681b8e6ff4d06962c0520072c066d5e71569713334ecd0078f0635b438102c2
    • Instruction Fuzzy Hash: CAE19E7560C3568FC315DF28C4C192EFBE1AFCA204F458A6DE9958B392E730E945CB92
    Function 6D37E240 Relevance: .3, Instructions: 331COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 824ee1559e9d67b4b2dcb0ea8e52e18704f0204367f66b1dbfa6a3cc47c49d4b
    • Instruction ID: 7ac09e969cd2dda5ccd6bd9852afc76fd0c8a8d56372602ee8951f5aa272694a
    • Opcode Fuzzy Hash: 824ee1559e9d67b4b2dcb0ea8e52e18704f0204367f66b1dbfa6a3cc47c49d4b
    • Instruction Fuzzy Hash: DCF1E27460C7918FC364CF29C090B9BBBE2BBCA304F54892DE9D897351EB35A805CB56
    Function 6D3D2E70 Relevance: .3, Instructions: 286COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c901833416e1e98e281e6fc02339cfb4311155231826d1b1293ee61647147030
    • Instruction ID: ab1bb79aad9f6d0c2aaa825ea5fd18c18df2732ec7bcd91f9d7480df030a489c
    • Opcode Fuzzy Hash: c901833416e1e98e281e6fc02339cfb4311155231826d1b1293ee61647147030
    • Instruction Fuzzy Hash: 51C1727060432A4FC251CE5EDCC0A2A73D1AB4821DF95866D96448F7C3DA3AF46B97E4
    Function 6D3D3230 Relevance: .3, Instructions: 286COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c55d434a2a73e91a5a92fe2882758d109e215460ef10dfab2924251f478af018
    • Instruction ID: 6e344e9699b0335d4b1bd7b482f80ec4fe44883d6e162b3376ab4003a1e3a060
    • Opcode Fuzzy Hash: c55d434a2a73e91a5a92fe2882758d109e215460ef10dfab2924251f478af018
    • Instruction Fuzzy Hash: 11C1627060432A4FC251CE5EDCC0A6A73D1AB4821DF91866D96448F7C3DA3AF46B97E4
    Function 6D36C6D0 Relevance: .3, Instructions: 285COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 044b72d2ae942a9314cc44b5afe4b5033558cb8df9697aa2ff18c03cb15c7793
    • Instruction ID: 254da43fc7b69f19244a692281ab1b71870fcb5803b4970d35a9754f7c07db46
    • Opcode Fuzzy Hash: 044b72d2ae942a9314cc44b5afe4b5033558cb8df9697aa2ff18c03cb15c7793
    • Instruction Fuzzy Hash: 129167326083564FCB19CE9CC8D051EBBE2FBC8344F15873CD9694B388EB729909C691
    Function 6D36CA30 Relevance: .3, Instructions: 281COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cddabf5c189c7c8a7343a0433b3324752ac1d23db3277043566cc7d3ce466a8a
    • Instruction ID: 7b27f032ce9dd0fef046f1478f095db26cc8caf15eea43d22cd6eee9432368ba
    • Opcode Fuzzy Hash: cddabf5c189c7c8a7343a0433b3324752ac1d23db3277043566cc7d3ce466a8a
    • Instruction Fuzzy Hash: 1D815837A4836A0FDB52CDA888D025D3A92EBC4318F09873CD9748B3C9FBB1981582D1
    Function 6D36AD50 Relevance: .3, Instructions: 276COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 09fdeb84da0c226a16a9a93f82df25c328c97a5198e93d550b8c0dc8edb6c6d6
    • Instruction ID: 28510c55515eee82cc5d6f1b304e0b2fc9fd542b3aa279026cf0d19d36662446
    • Opcode Fuzzy Hash: 09fdeb84da0c226a16a9a93f82df25c328c97a5198e93d550b8c0dc8edb6c6d6
    • Instruction Fuzzy Hash: 6891C676A187184BD304DE59CCC0659B3E2BBC8324F49C63CE9A89B345E674EE49CB81
    Function 6D3432A0 Relevance: .2, Instructions: 219COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e4367cb76676253cef26e9c8ae86e69a288ab70aec37261eaba8df9d20b464c9
    • Instruction ID: 19e1357b2077d7f3608acad7dc0ea525c0805209bcdfa0312dda80662bf91206
    • Opcode Fuzzy Hash: e4367cb76676253cef26e9c8ae86e69a288ab70aec37261eaba8df9d20b464c9
    • Instruction Fuzzy Hash: 118109B2A183108FC314DF19D88095AF7E2BFC8748F46892DF988D7311E775E9158B82
    Function 6D369030 Relevance: .2, Instructions: 193COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 209da772b9d2ab77d8a00edc30d8976d85fc9efb21e5359ad0a692ae9eb65043
    • Instruction ID: da5ba9e4e7223ebe9b1bd78ef4635dc53e3471f5e2b196bcadd50f8dc3f2b92e
    • Opcode Fuzzy Hash: 209da772b9d2ab77d8a00edc30d8976d85fc9efb21e5359ad0a692ae9eb65043
    • Instruction Fuzzy Hash: B591B9B4A093859FC308CF28C090A1ABBE1FF89748F108A6EE9D997354D730E945CF56
    Function 6D342CA6 Relevance: .2, Instructions: 161COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aaac1fa95927537056fa748d1ed80cb4c36531cfe69fe86e380ee050db7f54d2
    • Instruction ID: 707b86e0e703e2561e8da081cda307f54d27318d7366e082d3d851541857748f
    • Opcode Fuzzy Hash: aaac1fa95927537056fa748d1ed80cb4c36531cfe69fe86e380ee050db7f54d2
    • Instruction Fuzzy Hash: 4451643090C3A44AE3158F6F48D412AFFE1AFC6301F884A6EF5E443392D5B89515DBAA
    Function 6D342CA0 Relevance: .2, Instructions: 160COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2c5098461f8933e4ae94e34d52463ff7dc304be0bf617ccd8e5b7b2dd3b366cd
    • Instruction ID: a3f7a54cf9caeb95a6f068a6022bff98016bcd19751ca0f326f8d3b365dbd276
    • Opcode Fuzzy Hash: 2c5098461f8933e4ae94e34d52463ff7dc304be0bf617ccd8e5b7b2dd3b366cd
    • Instruction Fuzzy Hash: 8351673090C3A44AE3158F6F48D402AFFF16FC6301F884A6EF5E443392D5B89515DB6A
    Function 6D36D9C5 Relevance: .1, Instructions: 134COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 573f1140ab725ad5e718d68ff8f1fd878450a54f820c1f7cc361315ace8cabf2
    • Instruction ID: 8aa57a90615044a0260db7953974327c39654743357a9fa5206b0537996e572d
    • Opcode Fuzzy Hash: 573f1140ab725ad5e718d68ff8f1fd878450a54f820c1f7cc361315ace8cabf2
    • Instruction Fuzzy Hash: 515158B56093228FC358DF69C490A1AB7E0FF88604F09857CE9999B395D771EC46CBC2
    Function 6D34BE90 Relevance: .1, Instructions: 116COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0655ce19e8daa5f3b3ffba376d32579971c71670b6e560bfe97dcd4009b16804
    • Instruction ID: e5b0603fda2ade74029da34870ab9d67d0bcd5a5c44c5515fda66a53d3ad744c
    • Opcode Fuzzy Hash: 0655ce19e8daa5f3b3ffba376d32579971c71670b6e560bfe97dcd4009b16804
    • Instruction Fuzzy Hash: 9141B475918B054FC346DF39C49021AB3E5BFCA384F14C72DE9596B352EB359846CB42
    Function 6D34FBC0 Relevance: .1, Instructions: 97COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ef325fbce866fb1e51f86ce7e191639dfaa58e7dd64af24db8ba9fde454c31cf
    • Instruction ID: 9f6f3f689a87f5ff63fd56b47f2c51cba7f7269431600169bb5e9a4f9790a444
    • Opcode Fuzzy Hash: ef325fbce866fb1e51f86ce7e191639dfaa58e7dd64af24db8ba9fde454c31cf
    • Instruction Fuzzy Hash: E13130B391971D8BD300AF498C40159F7E6AAD0B20F5ECA5ED9A417701DBB0AE15CBC7
    Function 6D3490F0 Relevance: .1, Instructions: 76COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1256c5ef368fb568da81a2180bd734a91c9438babf1008316e67a5bae4f10638
    • Instruction ID: 003f467177939e185a4560e0d77948f96009d7cd5554c03cd92f7cb395457fa6
    • Opcode Fuzzy Hash: 1256c5ef368fb568da81a2180bd734a91c9438babf1008316e67a5bae4f10638
    • Instruction Fuzzy Hash: DC21C2317042528BDB08CF3DC9E022AB7F3ABCE710B59C56CD556877A4DA38AC09C766
    Function 6D371C90 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6ae83f5f1bfb79c74d61ffb61a00b6f482b7d469fce0b98ede6c20a3cf677c2a
    • Instruction ID: 3601b456c041dda280a3565666b1ebbb36cb8ff3f671374916d4f025b812e43d
    • Opcode Fuzzy Hash: 6ae83f5f1bfb79c74d61ffb61a00b6f482b7d469fce0b98ede6c20a3cf677c2a
    • Instruction Fuzzy Hash: A0116D75608B42CFD725DF24C0B0B69BBB6FF8A308F45885CE5954B391D73A9848CB46
    Function 6D3A7280 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 48e124137872c45b5461fedae8c14f8fc5c7678ac34fcbbf8cb7ed7fd4272e2d
    • Instruction ID: c22f9f3420022b2893cd63de56f6bebbdda72b05ef5153375ecfd5723c4ca189
    • Opcode Fuzzy Hash: 48e124137872c45b5461fedae8c14f8fc5c7678ac34fcbbf8cb7ed7fd4272e2d
    • Instruction Fuzzy Hash: B411DBB4600B118FD398DF59C0D4A65B7E2FB8C200B4A81BDDA0A9B766C670AC55DB85
    Function 6D3AC0C0 Relevance: .0, Instructions: 10COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: af6301a7f08ef24f43fd8a46323d36e6d08e4ba8300a48cea8c5dcced099cd49
    • Instruction ID: 6ea7e561438b7e1aeccb29a0c191318d33c53a5fa25810b470c75ab17a774980
    • Opcode Fuzzy Hash: af6301a7f08ef24f43fd8a46323d36e6d08e4ba8300a48cea8c5dcced099cd49
    • Instruction Fuzzy Hash: 0AC08CB491E3629EF711CB1C810030ABEF0DB81300F88C088A24882208C334C9804614
    Function 6D341020 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6D3412E0,?,?,?,?,?,?,6D3413A3), ref: 6D341057
    • _amsg_exit.MSVCRT ref: 6D341085
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID: c=m
    • API String ID: 1015461914-941957460
    • Opcode ID: 1a49cb4daedef3f6fa0bd76ec4c348f72826b78fbbe83d9ece31c1f1841584c5
    • Instruction ID: b92a51fe39a0c336843d7e7be88c8fe8461ebeb4455c29fd064fd479f00c3896
    • Opcode Fuzzy Hash: 1a49cb4daedef3f6fa0bd76ec4c348f72826b78fbbe83d9ece31c1f1841584c5
    • Instruction Fuzzy Hash: 2D41C2B6608242CBEB41BF2DC58171A7BF4FB82344F45C52EE6448B248D73AC890CB92
    Function 6D3D64A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • VirtualProtect failed with code 0x%x, xrefs: 6D3D659A
    • @, xrefs: 6D3D6578
    • Address %p has no image-section, xrefs: 6D3D65DB
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6D3D65C7
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 66855f647529c58ff877628f51f4c0beda3e6c292e4764391d24df525a03b954
    • Instruction ID: c6d810abe46875a2256cd1f7cf52c6bd066cec77a3e94cdd1b7e505711582510
    • Opcode Fuzzy Hash: 66855f647529c58ff877628f51f4c0beda3e6c292e4764391d24df525a03b954
    • Instruction Fuzzy Hash: B5416FBA9043068BCB40DF69D48575AFBF4FB85354F458629D9A88B319E330E844CFD2
    Function 6D3D5CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6D3D5CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D3D5D89), ref: 6D3D5CEB
    • fwrite.MSVCRT ref: 6D3D5D20
    • abort.MSVCRT ref: 6D3D5D25
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6D3D5D19
    • =, xrefs: 6D3D5D05
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: 80cc4d6fa59f38fa84951ade4b09569fb00977f80d7afd660ecb7f1d927a8b16
    • Instruction ID: 129f933a62bfac5b5eae33ee12aa72a7948b442fa55b49e9217bccdb727705d0
    • Opcode Fuzzy Hash: 80cc4d6fa59f38fa84951ade4b09569fb00977f80d7afd660ecb7f1d927a8b16
    • Instruction Fuzzy Hash: EEF0C9B14083019FE740BF68C51932EBEF0AB41345F85886DD89986285DB7AC4588F53
    Function 6D3D4D00 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6D3D4D5F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6D3D5BEF), ref: 6D3D4D9A
    • malloc.MSVCRT ref: 6D3D4DC8
    • qsort.MSVCRT ref: 6D3D4E16
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: 27f59f4aa1896abc4d4f05e1457151c7848865f34a2b13a1d8f43bdc71234e58
    • Instruction ID: b60ee4cd4f4a20fedafeb6e34db51d662fbecc5f334dd86ef472b4192efce5af
    • Opcode Fuzzy Hash: 27f59f4aa1896abc4d4f05e1457151c7848865f34a2b13a1d8f43bdc71234e58
    • Instruction Fuzzy Hash: 064159766083018FD750DF29D480A2ABBF5FF88314F05892DE98987355E775E848CF92
    Function 6D3D70C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: 5617d133a4a3a4c2e976dabdbd195ebb3535ee7492f9f1be591f6f9e5d1988ca
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: 3A117FF2908201CBD7809F28C88076A7BE4BF45354F05CA69E999CB384DB74D444CF62
    Function 6D3D5DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6D3D5E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D3D45D9), ref: 6D3D5E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D3D45D9), ref: 6D3D5E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D3D45D9), ref: 6D3D5E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D3D45D9), ref: 6D3D5E50
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 4a44633fd2fddf304466d6deaaf8368325bc1f1e600e2aef5bb7031361a4c679
    • Instruction ID: 8e9244cc028303da9914f11af121f0dd4db429a70b200eb5846f5296224d4df1
    • Opcode Fuzzy Hash: 4a44633fd2fddf304466d6deaaf8368325bc1f1e600e2aef5bb7031361a4c679
    • Instruction Fuzzy Hash: E3014076504304CFDA40BF79958952EBFB4EF52210F850529D99447248D732E868CFA3
    Function 6D3D7220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6D3D7248
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: 24754da3832959e2b666efb5033c158c7172e8192f92e06b30843584b5c4787e
    • Instruction ID: ee51e9d96a603cbf2de59fb18b4c909e6f9feef9d94be3f9ddfdf939c2ef9b2d
    • Opcode Fuzzy Hash: 24754da3832959e2b666efb5033c158c7172e8192f92e06b30843584b5c4787e
    • Instruction Fuzzy Hash: F2E0C2B280C7049ED340AF64C08525EBAE8BF89388F42C91CE2C947285C77884848F63
    Function 6D3D65F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D3412A5), ref: 6D3D6709
    Strings
    • Unknown pseudo relocation bit size %d., xrefs: 6D3D6799
    • Unknown pseudo relocation protocol version %d., xrefs: 6D3D6864
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: 812f793315bfb2a4c05296c3cfd4165c70465c33cd56ee80fb2472dcae1641ed
    • Instruction ID: 56a2ba57e280cc8c7fc043675756d86833e0e43a42f44aeccb529c10ed56e4ed
    • Opcode Fuzzy Hash: 812f793315bfb2a4c05296c3cfd4165c70465c33cd56ee80fb2472dcae1641ed
    • Instruction Fuzzy Hash: 1A61D376A0420A8FCB44DF68D9C0A6DB7B5FB85318F258529D9669B305D371E802CFD2
    Function 6D3D5BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID: bsearchfprintffwrite
    • String ID: $
    • API String ID: 1110293247-3993045852
    • Opcode ID: f0f48cc894848528723cf809aadfcbdcfa3107d9ceb76f0a03796cfa9149064e
    • Instruction ID: e3a767cd56022af58b687cab0b5da916c85e91e8e7433140b7d38e822f76f493
    • Opcode Fuzzy Hash: f0f48cc894848528723cf809aadfcbdcfa3107d9ceb76f0a03796cfa9149064e
    • Instruction Fuzzy Hash: 2201C5B680D3109BD780AF68944926AFBE4EF49358F46892EE9C997241E7B58440CF63
    Function 6D3D4E50 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: 8091611e815f0ba489e58437defad3eb2c3cd122ae1ae1a8ba984cf13c57d6f9
    • Instruction ID: 06895e48cdc2a4519d206500a0d8b00d9d0df1c20cef3a82cc227a0e53c45586
    • Opcode Fuzzy Hash: 8091611e815f0ba489e58437defad3eb2c3cd122ae1ae1a8ba984cf13c57d6f9
    • Instruction Fuzzy Hash: 5F21D2B6A093019FDB40EF28D1C571ABBE5BF88304F19C968E8898B209D735D844CF92
    Function 6D3D6870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000009.00000002.1285656469.000000006D341000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D340000, based on PE: true
    • Associated: 00000009.00000002.1285635998.000000006D340000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285728151.000000006D3D8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285749745.000000006D3D9000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285769861.000000006D3DA000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285789610.000000006D3DF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285879005.000000006D488000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D48E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285908494.000000006D493000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285964259.000000006D4A6000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1285996811.000000006D4AD000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286020329.000000006D4AE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000009.00000002.1286045245.000000006D4B1000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_6d340000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: d910314762ab3becbd64ba525d5b5575746bd6e316820cf42e28da67535e1427
    • Instruction ID: b4835f81d48953e8db90289510af4c945cabb339b9a0c03b76979297530ba69b
    • Opcode Fuzzy Hash: d910314762ab3becbd64ba525d5b5575746bd6e316820cf42e28da67535e1427
    • Instruction Fuzzy Hash: F9F08176A002198BDF407F6C85CAA2A7BB4EA45350B090538DD6487208E731E8198BE3

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:11
    Total number of Limit Nodes:1
    execution_graph 52895 6d00cea0 52896 6d00cec8 WriteFile 52895->52896 52897 6d00ceb9 52895->52897 52897->52896 52898 6d035fb0 52899 6d035fc7 _beginthread 52898->52899 52900 6d036012 52899->52900 52901 6d035fe1 _errno 52899->52901 52902 6d036020 Sleep 52901->52902 52903 6d035fe8 _errno 52901->52903 52902->52899 52904 6d036034 52902->52904 52905 6d035ff9 fprintf abort 52903->52905 52904->52903 52905->52900

    Executed Functions

    Function 6D035FB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6D035FF9
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabortfprintf
    • String ID: runtime: failed to create new OS thread (%d)
    • API String ID: 1261927973-3231778263
    • Opcode ID: a65a04c5bad0a553c0abce69dc016b660a9781f7e78f106bd453554fae8dd053
    • Instruction ID: 1a83f5aafa275cfd579be11a981e5e2df959930c3a4d328de2956b8a793a7776
    • Opcode Fuzzy Hash: a65a04c5bad0a553c0abce69dc016b660a9781f7e78f106bd453554fae8dd053
    • Instruction Fuzzy Hash: 7A016D74408326DFD7007F69D88872FBBF4EF86320F42492DE59583260CB709440DAA3
    Function 6D00CEA0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 6d00cea0-6d00ceb7 9 6d00cec8-6d00cee0 WriteFile 8->9 10 6d00ceb9-6d00cec6 8->10 10->9
    APIs
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: cb090b5f4a9b1e7a49aa4cf414030b1464c0b68a7e1920abc975b6d50006655f
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 20E0E571505640CFDB15DF18C2C1316BBE1EB48A00F0485A8DE098F74AD734ED10CB92

    Non-executed Functions

    Function 6D036300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D03634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D03635F
    • GetCurrentProcess.KERNEL32 ref: 6D036368
    • TerminateProcess.KERNEL32 ref: 6D036379
    • abort.MSVCRT ref: 6D036382
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 89948e44c1859b161a98d26fa8500de62d3eb7affce6cca8e40e977ba6c389a2
    • Instruction ID: 4be90816c1fbcb8af72fdea2e60dc273acc1a68eb8aee82e11ae3e21e9674bcb
    • Opcode Fuzzy Hash: 89948e44c1859b161a98d26fa8500de62d3eb7affce6cca8e40e977ba6c389a2
    • Instruction Fuzzy Hash: 6311A4B5904206DFDB00FF69D14976ABBF1BB4A304F41892DE988C7351EBB49944CFA2
    Function 6D0362FC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D03634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D03635F
    • GetCurrentProcess.KERNEL32 ref: 6D036368
    • TerminateProcess.KERNEL32 ref: 6D036379
    • abort.MSVCRT ref: 6D036382
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: a74123390a6598efa16750cf2581c65db6ad6eda792974bf2d6b567d4cf4aea7
    • Instruction ID: 8658016ed1f98eb3abb04f90809f4c0da47437c8575657b00cb31087b484652a
    • Opcode Fuzzy Hash: a74123390a6598efa16750cf2581c65db6ad6eda792974bf2d6b567d4cf4aea7
    • Instruction Fuzzy Hash: ED11B3B5804206DFDB00FF6AE1497697BF1BB06300F41852DE949C7341EBB49944CFA2
    Function 6D035E79 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • ;, xrefs: 6D035F18
    • runtime: failed to signal runtime initialization complete., xrefs: 6D035F2C
    • unexpected cgo_bindm on Windows, xrefs: 6D035EA4
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabortfwrite$Event
    • String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
    • API String ID: 3057923235-924395932
    • Opcode ID: cafcaffcc3bc44232a29bb654a1293c20349bdc9c16d13bea2948b6646abb2d5
    • Instruction ID: d45169474bc5c93afdca36e5eb0ae7f247ffb5f6adf8ca596607c7fdf3fedb27
    • Opcode Fuzzy Hash: cafcaffcc3bc44232a29bb654a1293c20349bdc9c16d13bea2948b6646abb2d5
    • Instruction Fuzzy Hash: 601193B5808251DFEB00BF79D10E32EBAF4BB45304F42891CE98597245DBB5A158CFA3
    Function 6D0364A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6D0365C7
    • VirtualProtect failed with code 0x%x, xrefs: 6D03659A
    • Address %p has no image-section, xrefs: 6D0365DB
    • @, xrefs: 6D036578
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 8021f73c2c030d71c060536be4fcce4cdd150d0242bd50c0a419a7224fcc57e6
    • Instruction ID: b25597f9626ed1fc0d2670de16e9267b7cb22438e0d8f300401c53640fb610bd
    • Opcode Fuzzy Hash: 8021f73c2c030d71c060536be4fcce4cdd150d0242bd50c0a419a7224fcc57e6
    • Instruction Fuzzy Hash: 5C416CB69043129FE700EF69D48571AFBF0FB85354F42CA2DE9589B214E770E444CBA2
    Function 6CFA13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: efba1bd71a6ec0eca683e222030f3244deedd536189898fad870fed811ad7372
    • Instruction ID: 89a64a7e3e0d8ea00a4646cd83330c200569ef8d03c25bcd1852658cf6ca7aae
    • Opcode Fuzzy Hash: efba1bd71a6ec0eca683e222030f3244deedd536189898fad870fed811ad7372
    • Instruction Fuzzy Hash: 3F011EB5809315DFD710BFBDA60A31EBEF8AB46755F02856DD88987200DB7094148BA3
    Function 6D034AF0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: 5d00aac3864163652111c7654a910e4bfe13d8c15166267f84e4bf8c8604f38b
    • Instruction ID: 4a202f2b2f46d8e159116b5a94e5ad29fbc43cab268ec21c630205a2171ea9a0
    • Opcode Fuzzy Hash: 5d00aac3864163652111c7654a910e4bfe13d8c15166267f84e4bf8c8604f38b
    • Instruction Fuzzy Hash: B751A6756083269FE740DF29D48036EB7E5FBC8304F46892EE998DB200E776D545CB92
    Function 6D036060 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 6D03606F
    • fwrite.MSVCRT ref: 6D0360BD
    • abort.MSVCRT ref: 6D0360C2
    • free.MSVCRT ref: 6D0360E5
      • Part of subcall function 6D035FB0: _beginthread.MSVCRT ref: 6D035FD6
      • Part of subcall function 6D035FB0: _errno.MSVCRT ref: 6D035FE1
      • Part of subcall function 6D035FB0: _errno.MSVCRT ref: 6D035FE8
      • Part of subcall function 6D035FB0: fprintf.MSVCRT ref: 6D036008
      • Part of subcall function 6D035FB0: abort.MSVCRT ref: 6D03600D
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
    • String ID: +$runtime/cgo: out of memory in thread_start
    • API String ID: 2633710936-1802439445
    • Opcode ID: 91a0b7960e30e214d4b84295ed191c7e5a53a11acbf5fc1f3a63168d8cf6dc39
    • Instruction ID: b8d3bc4a8cccbcaa7c5a427743cb2e65dd9d8aab852bc0371fbdf802165a967e
    • Opcode Fuzzy Hash: 91a0b7960e30e214d4b84295ed191c7e5a53a11acbf5fc1f3a63168d8cf6dc39
    • Instruction Fuzzy Hash: F021E5B4908711CFD700AF29D58861AFBF4FF89304F46899DE9888B326D3799840CF92
    Function 6D035CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6D035CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D035D89), ref: 6D035CEB
    • fwrite.MSVCRT ref: 6D035D20
    • abort.MSVCRT ref: 6D035D25
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6D035D19
    • =, xrefs: 6D035D05
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: a6168fd3e94b4fa18a6af0c6429c164b569bc11ccb1f08152ece2042623a15d9
    • Instruction ID: 8aa4e3a004159fa518701573731ee358c25a12648cb4e866be3c4b7b976dd432
    • Opcode Fuzzy Hash: a6168fd3e94b4fa18a6af0c6429c164b569bc11ccb1f08152ece2042623a15d9
    • Instruction Fuzzy Hash: 82F0C9B0808302DFE700BF69D51932EBAF4BB41344F82895CD8998A240DBB991548F53
    Function 6CFA1020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CFA12E0,?,?,?,?,?,?,6CFA13A3), ref: 6CFA1057
    • _amsg_exit.MSVCRT ref: 6CFA1085
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: b8c080ad343cc7c8ba7f5a5d0e7ae70b53e8f3bf4a73b042e4e51ed9309c0317
    • Instruction ID: 8020140b990c0b824d14d122e48c51fe6cb8b6821224d4d0600b92beae3accbb
    • Opcode Fuzzy Hash: b8c080ad343cc7c8ba7f5a5d0e7ae70b53e8f3bf4a73b042e4e51ed9309c0317
    • Instruction Fuzzy Hash: 8041AE72608240CBEB00AFAAD48470BB7F5FB82748F12CA2DD5548B644DBB5C482CB93
    Function 6D03655C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32 ref: 6D03652D
    • VirtualProtect.KERNEL32 ref: 6D036587
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D0E5388), ref: 6D036594
      • Part of subcall function 6D037220: fwrite.MSVCRT ref: 6D03724F
      • Part of subcall function 6D037220: vfprintf.MSVCRT ref: 6D03726F
      • Part of subcall function 6D037220: abort.MSVCRT ref: 6D037274
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$@
    • API String ID: 1616349570-2953866262
    • Opcode ID: 8ffbae1a81bc463fa4db25d848dc9fc2a5b422ed1d358742109639c2df6a34e1
    • Instruction ID: 992065e27395b75ddce6e198bd0ea2b319bab8bc2b889931e306aa2fcdf9a000
    • Opcode Fuzzy Hash: 8ffbae1a81bc463fa4db25d848dc9fc2a5b422ed1d358742109639c2df6a34e1
    • Instruction Fuzzy Hash: 2D2128B68043128FE700EF29D485719FBF0FF84314F42CA2DE99897254E770D5448B92
    Function 6D035B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessagefprintf
    • String ID: Erro: %s
    • API String ID: 659079672-2412703935
    • Opcode ID: 858b516b7b289c757f1c694de5c9c103fc3d922e3c5780db63a8899b7eb4b48d
    • Instruction ID: 940a458c031419c76019de8e349edd1fbfeb30d7e8eb60295b342ddcf7ae0003
    • Opcode Fuzzy Hash: 858b516b7b289c757f1c694de5c9c103fc3d922e3c5780db63a8899b7eb4b48d
    • Instruction Fuzzy Hash: 33015FB4408302DFE700AF69D59971FBBF0BB98349F018A1DE9D897250D7B986498F93
    Function 6D034D00 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6D034D5F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6D035BEF), ref: 6D034D9A
    • malloc.MSVCRT ref: 6D034DC8
    • qsort.MSVCRT ref: 6D034E16
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: 8df4163c1fc56df463872578181824e63f056d19ec0bfe6c7dd83c01f7c575b4
    • Instruction ID: f3726d8690514ea81f2a2d049e8c89df5ebb6772147bff2e37417d3e0bb127bf
    • Opcode Fuzzy Hash: 8df4163c1fc56df463872578181824e63f056d19ec0bfe6c7dd83c01f7c575b4
    • Instruction Fuzzy Hash: FF415B75A083129FE710DF29D48072AB7F5FF88314F06892DE8898B714E775E854CB92
    Function 6D035850 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: 026d44420009034860c6988a266122c44096d6ebf819ff37147dc3d91f64ae33
    • Instruction ID: 641631b120be2bb29516fe888ebe434df9a58f96d35e7c31465bc85c418a0ae9
    • Opcode Fuzzy Hash: 026d44420009034860c6988a266122c44096d6ebf819ff37147dc3d91f64ae33
    • Instruction Fuzzy Hash: 2221D774614206CBE700EB39D84976677F0FF49314F468928E5A9CB290EB75E809CB52
    Function 6D0370C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: eecd00800fddf7e9ac07304e6d6ecf8701185e0e61bc8e8e3e00a2b8ebc2568d
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: CA115E71908222CFF7009F6CC88076A7BE4FF85354F568A69E598CB385EB74D840CB52
    Function 6D036250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6D036289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CFA13B9), ref: 6D03629A
    • GetCurrentThreadId.KERNEL32 ref: 6D0362A2
    • GetTickCount.KERNEL32 ref: 6D0362AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CFA13B9), ref: 6D0362B9
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 84505eafaae587b386f30304fc7ceb8dc26961244bfa2a11ecf8b91ad03ed1f8
    • Instruction ID: aa01ed1ba078856b66c40604cd81f5a3ca7421f915e61161451b3c7ef2a40690
    • Opcode Fuzzy Hash: 84505eafaae587b386f30304fc7ceb8dc26961244bfa2a11ecf8b91ad03ed1f8
    • Instruction Fuzzy Hash: B4115EB55053028BDB10EF79E48874BBBF5FB89254F464E39E444C7200EB31D9488B92
    Function 6D035DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6D035E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D0345D9), ref: 6D035E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D0345D9), ref: 6D035E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D0345D9), ref: 6D035E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D0345D9), ref: 6D035E50
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: b659e394d53e915b44db5ca1b153161ded35e8c1219786b967dcea9ff281f972
    • Instruction ID: 75bd92f05904712af5d1138305d126be69855629d33e2425f9a61e37eeca29ef
    • Opcode Fuzzy Hash: b659e394d53e915b44db5ca1b153161ded35e8c1219786b967dcea9ff281f972
    • Instruction Fuzzy Hash: F00175B5914305CFDB00FF7DE58961ABBF9AF46210F42052DD8904B254DBB1A568CFA3
    Function 6D037220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6D037248
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: ad49a7eaac484193d50102945ad1404771415eb448200509c21eae19a8c2547f
    • Instruction ID: abec0de0c452777497bdf3e3441078fb52b01ced2671407c528633d7feef8c73
    • Opcode Fuzzy Hash: ad49a7eaac484193d50102945ad1404771415eb448200509c21eae19a8c2547f
    • Instruction Fuzzy Hash: A2E0AEB080C31ADEE300AF65C08531EFAE4AF89348F43891CE2C847241C77894848B63
    Function 6D0365F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CFA12A5), ref: 6D036709
    Strings
    • Unknown pseudo relocation protocol version %d., xrefs: 6D036864
    • Unknown pseudo relocation bit size %d., xrefs: 6D036799
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: aab149709d509464592a56a72cf15930ffb5ae8d5185b8ff09c0b8e2aec9fc03
    • Instruction ID: 8afbdea2a467e2156143a81daf31effb3f03e2974ab35e06e271c1cfaac5a158
    • Opcode Fuzzy Hash: aab149709d509464592a56a72cf15930ffb5ae8d5185b8ff09c0b8e2aec9fc03
    • Instruction Fuzzy Hash: 3661E075A042278FEB08DFA8D4C0769B7F1FB85354F96CA2DE8059B345D3B0A8118BD2
    Function 6D035BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: bsearchfprintffwrite
    • String ID: $
    • API String ID: 1110293247-3993045852
    • Opcode ID: 25b22b7175423207ea6e18c7ab8b3ce05f1705546bb134742705b10d416cf01b
    • Instruction ID: 46061eb0c4609e974fce5c806c714de44b0f2b7e30fc61d2a3569b1e531301c1
    • Opcode Fuzzy Hash: 25b22b7175423207ea6e18c7ab8b3ce05f1705546bb134742705b10d416cf01b
    • Instruction Fuzzy Hash: 3101C9B981C322DFE700AF69944936EBBE4AF49358F43891DE9C897251E775C440CB53
    Function 6D034E50 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: 3390865ff85d0b5f092ea770ccbfb8640d95086a12b6b7bb5e29a78f16f3254e
    • Instruction ID: a3a6bb79fca4a873a92eee24565d36daffe320853111629be77ac5dd8faf0526
    • Opcode Fuzzy Hash: 3390865ff85d0b5f092ea770ccbfb8640d95086a12b6b7bb5e29a78f16f3254e
    • Instruction Fuzzy Hash: A221E5B5A08212DBEB00EF25D1C471ABBE1BF88204F16C96CE8898F309D735D844CF82
    Function 6D036870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000012.00000002.1379465303.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000012.00000002.1379324324.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379831575.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1379926718.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380025517.000000006D03A000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380157619.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380476567.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380586922.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380786010.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380864115.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1380967589.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000012.00000002.1381073365.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 58f87414ffa2aec1ac285bc12c42cb409f9ecd809bde30b01f29ecc7ac57e513
    • Instruction ID: e16fa7c0565141f27c6a33359c7655fe2a698f7feadc23692463e87a80932af4
    • Opcode Fuzzy Hash: 58f87414ffa2aec1ac285bc12c42cb409f9ecd809bde30b01f29ecc7ac57e513
    • Instruction Fuzzy Hash: ACF044B59042168FEB007F6DD489A1ABBB4EE49350B06066CDD4497305EF70E559CBE3

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:11
    Total number of Limit Nodes:1
    execution_graph 52895 6d00cea0 52896 6d00cec8 VirtualAlloc 52895->52896 52897 6d00ceb9 52895->52897 52897->52896 52898 6d035fb0 52899 6d035fc7 _beginthread 52898->52899 52900 6d036012 52899->52900 52901 6d035fe1 _errno 52899->52901 52902 6d036020 Sleep 52901->52902 52903 6d035fe8 _errno 52901->52903 52902->52899 52904 6d036034 52902->52904 52905 6d035ff9 fprintf abort 52903->52905 52904->52903 52905->52900

    Executed Functions

    Function 6D035FB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6D035FF9
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabortfprintf
    • String ID: runtime: failed to create new OS thread (%d)
    • API String ID: 1261927973-3231778263
    • Opcode ID: a65a04c5bad0a553c0abce69dc016b660a9781f7e78f106bd453554fae8dd053
    • Instruction ID: 1a83f5aafa275cfd579be11a981e5e2df959930c3a4d328de2956b8a793a7776
    • Opcode Fuzzy Hash: a65a04c5bad0a553c0abce69dc016b660a9781f7e78f106bd453554fae8dd053
    • Instruction Fuzzy Hash: 7A016D74408326DFD7007F69D88872FBBF4EF86320F42492DE59583260CB709440DAA3
    Function 6D00CEA0 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 6d00cea0-6d00ceb7 9 6d00cec8-6d00cee0 VirtualAlloc 8->9 10 6d00ceb9-6d00cec6 8->10 10->9
    APIs
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: cb090b5f4a9b1e7a49aa4cf414030b1464c0b68a7e1920abc975b6d50006655f
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 20E0E571505640CFDB15DF18C2C1316BBE1EB48A00F0485A8DE098F74AD734ED10CB92

    Non-executed Functions

    Function 6D036300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D03634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D03635F
    • GetCurrentProcess.KERNEL32 ref: 6D036368
    • TerminateProcess.KERNEL32 ref: 6D036379
    • abort.MSVCRT ref: 6D036382
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 89948e44c1859b161a98d26fa8500de62d3eb7affce6cca8e40e977ba6c389a2
    • Instruction ID: 4be90816c1fbcb8af72fdea2e60dc273acc1a68eb8aee82e11ae3e21e9674bcb
    • Opcode Fuzzy Hash: 89948e44c1859b161a98d26fa8500de62d3eb7affce6cca8e40e977ba6c389a2
    • Instruction Fuzzy Hash: 6311A4B5904206DFDB00FF69D14976ABBF1BB4A304F41892DE988C7351EBB49944CFA2
    Function 6D0362FC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D03634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D03635F
    • GetCurrentProcess.KERNEL32 ref: 6D036368
    • TerminateProcess.KERNEL32 ref: 6D036379
    • abort.MSVCRT ref: 6D036382
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: a74123390a6598efa16750cf2581c65db6ad6eda792974bf2d6b567d4cf4aea7
    • Instruction ID: 8658016ed1f98eb3abb04f90809f4c0da47437c8575657b00cb31087b484652a
    • Opcode Fuzzy Hash: a74123390a6598efa16750cf2581c65db6ad6eda792974bf2d6b567d4cf4aea7
    • Instruction Fuzzy Hash: ED11B3B5804206DFDB00FF6AE1497697BF1BB06300F41852DE949C7341EBB49944CFA2
    Function 6D035E79 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • ;, xrefs: 6D035F18
    • unexpected cgo_bindm on Windows, xrefs: 6D035EA4
    • runtime: failed to signal runtime initialization complete., xrefs: 6D035F2C
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabortfwrite$Event
    • String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
    • API String ID: 3057923235-924395932
    • Opcode ID: cafcaffcc3bc44232a29bb654a1293c20349bdc9c16d13bea2948b6646abb2d5
    • Instruction ID: d45169474bc5c93afdca36e5eb0ae7f247ffb5f6adf8ca596607c7fdf3fedb27
    • Opcode Fuzzy Hash: cafcaffcc3bc44232a29bb654a1293c20349bdc9c16d13bea2948b6646abb2d5
    • Instruction Fuzzy Hash: 601193B5808251DFEB00BF79D10E32EBAF4BB45304F42891CE98597245DBB5A158CFA3
    Function 6CFA1020 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CFA12E0,?,?,?,?,?,?,6CFA13A3), ref: 6CFA1057
    • _amsg_exit.MSVCRT ref: 6CFA1085
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID: 0?T
    • API String ID: 1015461914-4025647955
    • Opcode ID: b8c080ad343cc7c8ba7f5a5d0e7ae70b53e8f3bf4a73b042e4e51ed9309c0317
    • Instruction ID: 8020140b990c0b824d14d122e48c51fe6cb8b6821224d4d0600b92beae3accbb
    • Opcode Fuzzy Hash: b8c080ad343cc7c8ba7f5a5d0e7ae70b53e8f3bf4a73b042e4e51ed9309c0317
    • Instruction Fuzzy Hash: 8041AE72608240CBEB00AFAAD48470BB7F5FB82748F12CA2DD5548B644DBB5C482CB93
    Function 6D0364A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • VirtualProtect failed with code 0x%x, xrefs: 6D03659A
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6D0365C7
    • @, xrefs: 6D036578
    • Address %p has no image-section, xrefs: 6D0365DB
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 8021f73c2c030d71c060536be4fcce4cdd150d0242bd50c0a419a7224fcc57e6
    • Instruction ID: b25597f9626ed1fc0d2670de16e9267b7cb22438e0d8f300401c53640fb610bd
    • Opcode Fuzzy Hash: 8021f73c2c030d71c060536be4fcce4cdd150d0242bd50c0a419a7224fcc57e6
    • Instruction Fuzzy Hash: 5C416CB69043129FE700EF69D48571AFBF0FB85354F42CA2DE9589B214E770E444CBA2
    Function 6CFA13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: efba1bd71a6ec0eca683e222030f3244deedd536189898fad870fed811ad7372
    • Instruction ID: 89a64a7e3e0d8ea00a4646cd83330c200569ef8d03c25bcd1852658cf6ca7aae
    • Opcode Fuzzy Hash: efba1bd71a6ec0eca683e222030f3244deedd536189898fad870fed811ad7372
    • Instruction Fuzzy Hash: 3F011EB5809315DFD710BFBDA60A31EBEF8AB46755F02856DD88987200DB7094148BA3
    Function 6D034AF0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: 5d00aac3864163652111c7654a910e4bfe13d8c15166267f84e4bf8c8604f38b
    • Instruction ID: 4a202f2b2f46d8e159116b5a94e5ad29fbc43cab268ec21c630205a2171ea9a0
    • Opcode Fuzzy Hash: 5d00aac3864163652111c7654a910e4bfe13d8c15166267f84e4bf8c8604f38b
    • Instruction Fuzzy Hash: B751A6756083269FE740DF29D48036EB7E5FBC8304F46892EE998DB200E776D545CB92
    Function 6D036060 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 6D03606F
    • fwrite.MSVCRT ref: 6D0360BD
    • abort.MSVCRT ref: 6D0360C2
    • free.MSVCRT ref: 6D0360E5
      • Part of subcall function 6D035FB0: _beginthread.MSVCRT ref: 6D035FD6
      • Part of subcall function 6D035FB0: _errno.MSVCRT ref: 6D035FE1
      • Part of subcall function 6D035FB0: _errno.MSVCRT ref: 6D035FE8
      • Part of subcall function 6D035FB0: fprintf.MSVCRT ref: 6D036008
      • Part of subcall function 6D035FB0: abort.MSVCRT ref: 6D03600D
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
    • String ID: +$runtime/cgo: out of memory in thread_start
    • API String ID: 2633710936-1802439445
    • Opcode ID: 91a0b7960e30e214d4b84295ed191c7e5a53a11acbf5fc1f3a63168d8cf6dc39
    • Instruction ID: b8d3bc4a8cccbcaa7c5a427743cb2e65dd9d8aab852bc0371fbdf802165a967e
    • Opcode Fuzzy Hash: 91a0b7960e30e214d4b84295ed191c7e5a53a11acbf5fc1f3a63168d8cf6dc39
    • Instruction Fuzzy Hash: F021E5B4908711CFD700AF29D58861AFBF4FF89304F46899DE9888B326D3799840CF92
    Function 6D035CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6D035CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D035D89), ref: 6D035CEB
    • fwrite.MSVCRT ref: 6D035D20
    • abort.MSVCRT ref: 6D035D25
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6D035D19
    • =, xrefs: 6D035D05
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: a6168fd3e94b4fa18a6af0c6429c164b569bc11ccb1f08152ece2042623a15d9
    • Instruction ID: 8aa4e3a004159fa518701573731ee358c25a12648cb4e866be3c4b7b976dd432
    • Opcode Fuzzy Hash: a6168fd3e94b4fa18a6af0c6429c164b569bc11ccb1f08152ece2042623a15d9
    • Instruction Fuzzy Hash: 82F0C9B0808302DFE700BF69D51932EBAF4BB41344F82895CD8998A240DBB991548F53
    Function 6D03655C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32 ref: 6D03652D
    • VirtualProtect.KERNEL32 ref: 6D036587
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D0E5388), ref: 6D036594
      • Part of subcall function 6D037220: fwrite.MSVCRT ref: 6D03724F
      • Part of subcall function 6D037220: vfprintf.MSVCRT ref: 6D03726F
      • Part of subcall function 6D037220: abort.MSVCRT ref: 6D037274
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$@
    • API String ID: 1616349570-2953866262
    • Opcode ID: 8ffbae1a81bc463fa4db25d848dc9fc2a5b422ed1d358742109639c2df6a34e1
    • Instruction ID: 992065e27395b75ddce6e198bd0ea2b319bab8bc2b889931e306aa2fcdf9a000
    • Opcode Fuzzy Hash: 8ffbae1a81bc463fa4db25d848dc9fc2a5b422ed1d358742109639c2df6a34e1
    • Instruction Fuzzy Hash: 2D2128B68043128FE700EF29D485719FBF0FF84314F42CA2DE99897254E770D5448B92
    Function 6D035B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessagefprintf
    • String ID: Erro: %s
    • API String ID: 659079672-2412703935
    • Opcode ID: 858b516b7b289c757f1c694de5c9c103fc3d922e3c5780db63a8899b7eb4b48d
    • Instruction ID: 940a458c031419c76019de8e349edd1fbfeb30d7e8eb60295b342ddcf7ae0003
    • Opcode Fuzzy Hash: 858b516b7b289c757f1c694de5c9c103fc3d922e3c5780db63a8899b7eb4b48d
    • Instruction Fuzzy Hash: 33015FB4408302DFE700AF69D59971FBBF0BB98349F018A1DE9D897250D7B986498F93
    Function 6D034D00 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6D034D5F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6D035BEF), ref: 6D034D9A
    • malloc.MSVCRT ref: 6D034DC8
    • qsort.MSVCRT ref: 6D034E16
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: 8df4163c1fc56df463872578181824e63f056d19ec0bfe6c7dd83c01f7c575b4
    • Instruction ID: f3726d8690514ea81f2a2d049e8c89df5ebb6772147bff2e37417d3e0bb127bf
    • Opcode Fuzzy Hash: 8df4163c1fc56df463872578181824e63f056d19ec0bfe6c7dd83c01f7c575b4
    • Instruction Fuzzy Hash: FF415B75A083129FE710DF29D48072AB7F5FF88314F06892DE8898B714E775E854CB92
    Function 6D035850 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: 026d44420009034860c6988a266122c44096d6ebf819ff37147dc3d91f64ae33
    • Instruction ID: 641631b120be2bb29516fe888ebe434df9a58f96d35e7c31465bc85c418a0ae9
    • Opcode Fuzzy Hash: 026d44420009034860c6988a266122c44096d6ebf819ff37147dc3d91f64ae33
    • Instruction Fuzzy Hash: 2221D774614206CBE700EB39D84976677F0FF49314F468928E5A9CB290EB75E809CB52
    Function 6D0370C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: eecd00800fddf7e9ac07304e6d6ecf8701185e0e61bc8e8e3e00a2b8ebc2568d
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: CA115E71908222CFF7009F6CC88076A7BE4FF85354F568A69E598CB385EB74D840CB52
    Function 6D036250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6D036289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CFA13B9), ref: 6D03629A
    • GetCurrentThreadId.KERNEL32 ref: 6D0362A2
    • GetTickCount.KERNEL32 ref: 6D0362AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CFA13B9), ref: 6D0362B9
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 84505eafaae587b386f30304fc7ceb8dc26961244bfa2a11ecf8b91ad03ed1f8
    • Instruction ID: aa01ed1ba078856b66c40604cd81f5a3ca7421f915e61161451b3c7ef2a40690
    • Opcode Fuzzy Hash: 84505eafaae587b386f30304fc7ceb8dc26961244bfa2a11ecf8b91ad03ed1f8
    • Instruction Fuzzy Hash: B4115EB55053028BDB10EF79E48874BBBF5FB89254F464E39E444C7200EB31D9488B92
    Function 6D035DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6D035E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D0345D9), ref: 6D035E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D0345D9), ref: 6D035E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D0345D9), ref: 6D035E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D0345D9), ref: 6D035E50
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: b659e394d53e915b44db5ca1b153161ded35e8c1219786b967dcea9ff281f972
    • Instruction ID: 75bd92f05904712af5d1138305d126be69855629d33e2425f9a61e37eeca29ef
    • Opcode Fuzzy Hash: b659e394d53e915b44db5ca1b153161ded35e8c1219786b967dcea9ff281f972
    • Instruction Fuzzy Hash: F00175B5914305CFDB00FF7DE58961ABBF9AF46210F42052DD8904B254DBB1A568CFA3
    Function 6D037220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6D037248
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: ad49a7eaac484193d50102945ad1404771415eb448200509c21eae19a8c2547f
    • Instruction ID: abec0de0c452777497bdf3e3441078fb52b01ced2671407c528633d7feef8c73
    • Opcode Fuzzy Hash: ad49a7eaac484193d50102945ad1404771415eb448200509c21eae19a8c2547f
    • Instruction Fuzzy Hash: A2E0AEB080C31ADEE300AF65C08531EFAE4AF89348F43891CE2C847241C77894848B63
    Function 6D0365F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CFA12A5), ref: 6D036709
    Strings
    • Unknown pseudo relocation protocol version %d., xrefs: 6D036864
    • Unknown pseudo relocation bit size %d., xrefs: 6D036799
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: aab149709d509464592a56a72cf15930ffb5ae8d5185b8ff09c0b8e2aec9fc03
    • Instruction ID: 8afbdea2a467e2156143a81daf31effb3f03e2974ab35e06e271c1cfaac5a158
    • Opcode Fuzzy Hash: aab149709d509464592a56a72cf15930ffb5ae8d5185b8ff09c0b8e2aec9fc03
    • Instruction Fuzzy Hash: 3661E075A042278FEB08DFA8D4C0769B7F1FB85354F96CA2DE8059B345D3B0A8118BD2
    Function 6D035BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: bsearchfprintffwrite
    • String ID: $
    • API String ID: 1110293247-3993045852
    • Opcode ID: 25b22b7175423207ea6e18c7ab8b3ce05f1705546bb134742705b10d416cf01b
    • Instruction ID: 46061eb0c4609e974fce5c806c714de44b0f2b7e30fc61d2a3569b1e531301c1
    • Opcode Fuzzy Hash: 25b22b7175423207ea6e18c7ab8b3ce05f1705546bb134742705b10d416cf01b
    • Instruction Fuzzy Hash: 3101C9B981C322DFE700AF69944936EBBE4AF49358F43891DE9C897251E775C440CB53
    Function 6D034E50 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: 3390865ff85d0b5f092ea770ccbfb8640d95086a12b6b7bb5e29a78f16f3254e
    • Instruction ID: a3a6bb79fca4a873a92eee24565d36daffe320853111629be77ac5dd8faf0526
    • Opcode Fuzzy Hash: 3390865ff85d0b5f092ea770ccbfb8640d95086a12b6b7bb5e29a78f16f3254e
    • Instruction Fuzzy Hash: A221E5B5A08212DBEB00EF25D1C471ABBE1BF88204F16C96CE8898F309D735D844CF82
    Function 6D036870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000016.00000002.1376301852.000000006CFA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CFA0000, based on PE: true
    • Associated: 00000016.00000002.1376219422.000000006CFA0000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376575329.000000006D038000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376654622.000000006D039000.00000008.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376771536.000000006D03D000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1376868868.000000006D03F000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377140803.000000006D0E8000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0EE000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377234604.000000006D0F3000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377486111.000000006D106000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1377659531.000000006D10D000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378012948.000000006D10E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000016.00000002.1378157510.000000006D111000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_6cfa0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 58f87414ffa2aec1ac285bc12c42cb409f9ecd809bde30b01f29ecc7ac57e513
    • Instruction ID: e16fa7c0565141f27c6a33359c7655fe2a698f7feadc23692463e87a80932af4
    • Opcode Fuzzy Hash: 58f87414ffa2aec1ac285bc12c42cb409f9ecd809bde30b01f29ecc7ac57e513
    • Instruction Fuzzy Hash: ACF044B59042168FEB007F6DD489A1ABBB4EE49350B06066CDD4497305EF70E559CBE3